Should Fedora rpms be signed?
Paul Iadonisi
pri.rhl3 at iadonisi.to
Fri Oct 29 18:26:27 UTC 2004
On Fri, 2004-10-29 at 20:15 +0200, Nils Philippsen wrote:
[snip]
> Umm yeah. Some people were proposing that Rawhide packages should not be
> signed at all. I myself think this is a bad idea and that all packages,
> regardless of their quality, should be signed. Hey even more so with bad
> packages I want to know who's responsible ;-).
Umm, yeah, then. I see your gripe. And I share it. I do NOT,
however think that an automated signing procedure (password-less, or key
stored in an agent or an expect script) is a good idea, regardless of
whether or not Red Hat is doing that at the moment. I'd rather have the
majority of rawhide packages signed (as they are today) and the few non-
signed ones (the several hundred after FC3T1 or FC3T2 being the
exception, not the rule) verifiable via a signed list of md5sums.
One thing isn't clear to me, though. I thought the reason that not
every package was signed in rawhide was because the person(s) with key
signing authority was not available at the time the package was pushed
to rawhide. If this is the case, that implies that the rawhide key is
not, in fact, password-less and the key is not stored in an agent, nor
is the password embedded in some expect script. It requires manually
typing the password. So if that's the case, what do I make of Matias
Féliciano's post where he referenced a page on Red Hat's site (sorry, I
don't have the reference handy) that indicated that the rawhide key
*was* in fact password-less?
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets
More information about the fedora-test-list
mailing list