Should Fedora rpms be signed?

Matias Féliciano feliciano.matias at free.fr
Fri Oct 29 20:56:41 UTC 2004


Le vendredi 29 octobre 2004 à 12:45 -0600, Rodolfo J. Paiz a écrit :

>  Matías is vehemently pro signing
> *every* package

Yes. But I never said that a signed repository is a bad solution :-)

Signing repository has its benefit.
Signing every packages has its benefit.

But I don't think it's easer to sign a repository than all the packages.

For signing a repository, one command line would be used (I suppose) :
- gpg --sign ... OR createrepo --addsign

For signing all packages, one command line would be used :
- rpm --addsign <list of rpm package>

If Red Hat can use one of these methods, they can easily do both (It's
seems).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041029/1fe11f10/attachment.sig>


More information about the fedora-test-list mailing list