[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Development to Official



On Thu, 25 Oct 2007 16:10:59 +0200
Till Maas <opensource till name> wrote:

> What is the problem with an automated signing process?[1] It cannot
> be worse than the current situation where rawhide rpms are only
> available in unsecure ways for the common user. When the ssl
> certificate for koji is changed to one from a trusted ca, then at
> least they are available there, but it is still a lot more work than
> to just using a mirror. And I guess it is not intended to use koji as
> a repository.

Because it really doesn't offer much protection.  All it really says is
"this fell out of koji", which there is /some/ level of comfort about
that, but not much.

More scary to me is that with the signing server going to be so fresh I
just don't want to hook an automated process up to it, one that could
potentially be exploited to gain access to more important keys.
It's the paranoid in me.

-- 
Jesse Keating
Fedora -- All my bits are free, are yours?

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]