[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package XYZ is not signed



Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> If you keep an eye on where your packages are coming from, even for rawhide,
> then you can be sure that only authorized maintainers have put them into the
> system (control which mirrors you're pulling them from).  Actually signing the
> package from the build system would change very little other than insure that
> the mirror you're downloading from did not bring in a new package that doesn't
> belong.

It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.

> 
> So as it stands, you have to extend trust to the maintainers, and the mirror.
> You can pick which mirror you trust.
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]