Package XYZ is not signed
nodata
lsof at nodata.co.uk
Tue Oct 30 18:25:04 UTC 2007
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> If you keep an eye on where your packages are coming from, even for rawhide,
> then you can be sure that only authorized maintainers have put them into the
> system (control which mirrors you're pulling them from). Actually signing the
> package from the build system would change very little other than insure that
> the mirror you're downloading from did not bring in a new package that doesn't
> belong.
It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.
>
> So as it stands, you have to extend trust to the maintainers, and the mirror.
> You can pick which mirror you trust.
>
More information about the fedora-devel-list
mailing list