On Thu, 25 Oct 2007 16:10:59 +0200 Till Maas <opensource till name> wrote: > What is the problem with an automated signing process? It cannot > be worse than the current situation where rawhide rpms are only > available in unsecure ways for the common user. When the ssl > certificate for koji is changed to one from a trusted ca, then at > least they are available there, but it is still a lot more work than > to just using a mirror. And I guess it is not intended to use koji as > a repository. Because it really doesn't offer much protection. All it really says is "this fell out of koji", which there is /some/ level of comfort about that, but not much. More scary to me is that with the signing server going to be so fresh I just don't want to hook an automated process up to it, one that could potentially be exploited to gain access to more important keys. It's the paranoid in me. -- Jesse Keating Fedora -- All my bits are free, are yours?
Description: PGP signature