[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Submission policy



On Sun, 04 Jul 2004 14:29:04 +0200, Leonard den Ottolander wrote:

> Hi,
> 
> A question regarding submission policy
> (http://www.fedora.us/wiki/PackageSubmissionQAPolicy):
> Item 4: Why does one need to rpm --resign instead of rpmbuild --sign,
> and why as a different user? Especially the latter puzzles me.

In one word: paranoia.

The user account used to do the compilation should not have access to
any security relevant files, including GPG private keys. It all boils
down to just another matter of trust. If packager does trust upstream
developers and upstream source tarball integrity, rpmbuild --sign is
not considered a problem.

> I think it's a good idea to also add this explanation to that page.

Most likely an even better idea is to move it onto the PackagingHints
page.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]