[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Rel-Eng Meeting Recap 2007-JUL-02



John Poelstra <poelstra <at> redhat.com> writes:

>  * Draft spec for the signing server by f13 is here:
http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft

Just one comment here, regarding the draft itself. The Fedora Account System
would be used for authentication, which makes sense, but a single compromised
account may mean trojaned packages. I know, not very likely (Or is it? Do we
force password complexity on folks? Mandatory password changes?), but better be
paranoid...

Would it be possible to organise that multiple authorised users have to approve
the package for signing before it actually gets signed? That way there are at
least some checks and balances in the system.

--
Bojan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]