[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Development to Official

On Thu, 25 Oct 2007 16:10:59 +0200
Till Maas <opensource till name> wrote:

> What is the problem with an automated signing process?[1] It cannot
> be worse than the current situation where rawhide rpms are only
> available in unsecure ways for the common user. When the ssl
> certificate for koji is changed to one from a trusted ca, then at
> least they are available there, but it is still a lot more work than
> to just using a mirror. And I guess it is not intended to use koji as
> a repository.

Because it really doesn't offer much protection.  All it really says is
"this fell out of koji", which there is /some/ level of comfort about
that, but not much.

More scary to me is that with the signing server going to be so fresh I
just don't want to hook an automated process up to it, one that could
potentially be exploited to gain access to more important keys.
It's the paranoid in me.

Jesse Keating
Fedora -- All my bits are free, are yours?

Attachment: signature.asc
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]