[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package XYZ is not signed



Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata:
> Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> > If you keep an eye on where your packages are coming from, even for rawhide,
> > then you can be sure that only authorized maintainers have put them into the
> > system (control which mirrors you're pulling them from).  Actually signing the
> > package from the build system would change very little other than insure that
> > the mirror you're downloading from did not bring in a new package that doesn't
> > belong.
> 
> It worries me massively, from a security perspective, that someone from
> inside Red Hat would say something as wrong as this.

Oh, you don't work for Red Hat. Sorry. But your statement is still
completely off the field.

> > 
> > So as it stands, you have to extend trust to the maintainers, and the mirror.
> > You can pick which mirror you trust.
> > 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]