Package XYZ is not signed
Till Maas
opensource at till.name
Mon Oct 29 07:27:23 UTC 2007
On So Oktober 28 2007, Andrew Farris wrote:
> prevent that either (in rawhide). Testing rawhide isn't for boxes with
> corporate sensitive data...
This seems not to be common knowledge, because afaik even Fedora Maintainers
use Rawhide on a system, where they create new packages.
> Actually signing the package from the build system would change very little
> other than insure that the mirror you're downloading from did not bring in
> a new package that doesn't belong.
Imho it is a big benefit, because it is very easy for a mirror maintainer to
change a package. Also someone who breaks into a mirror can easily cause
heavy damage. And last but not least, the manipulation of the package can
also happen on the connection to the mirror, e.g. on conferences with
free/open wifi/internet access.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20071029/6b8ba516/attachment.sig>
More information about the fedora-devel-list
mailing list