[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Time to resurrect multi-key signatures in RPM?



Les Mikesell <lesmikesell <at> gmail.com> writes:

> But what if 
> it is the src rpm that is compromised so the builds will be identical 
> because they both contain the modification?

That is not exactly the compromise of the build system and/or Fedora key, now is
it? If your own contributors are subverting the system by uploading borked
source, the mutli-key system isn't going to help (and I never claimed that).

For people that are not convinced in the usefulness of this (in principle), go
the a bank and try to open an account. See if they'll be OK with you producing
just one piece of ID.

--
Bojan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]