[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mono and snk key files



On 12/19/2009 11:03 AM, Christopher Brown wrote:
> 2009/12/15 Adam Goode <adam spicenitz org>:
>> On 12/13/2009 06:16 AM, Christopher Brown wrote:
>>> 2009/12/11 Adam Goode <adam spicenitz org>:
>>>> We should definitely use Debian's key, right? Otherwise some Fedora CLI
>>>> libraries would be unnecessarily incompatible with Debian, and whoever
>>>> else uses Debian's key.
>>>>
>>>> The whole business of not shipping code-signing keys is a little
>>>> contrary to open source. I think this is something that GPLv3 would
>>>> prohibit. We should use a single well-known signing key for any package
>>>> that we don't have the keys for, I think.
>>>
>>> You're right.
>>>
>>> This has already been resolved in devel by added mono.snk to the
>>> mono-devel package. I'm just waiting on commit access to make the
>>> required changes to F-11 and F-12 unless someone else wants to do it.
>>>
>>
>> It looks like spot generated a new mono.snk. I was arguing to use
>> Debian's mono.snk, for cross-distro compatibility. Shouldn't everyone
>> should use Debian's key unless a package provides its own?
> 
> Ideally we (Fedora and Debian) should use a single key generated by
> upstream but as this issue is only problematic due to cyclic dep
> problems in the build process I think that using our own is enough.
> Unfortunately I don't care enough to chase this issue further.

Yeah, I think there is very little merit in giving any amount of trust
to that key, nor is there any real value in picking up mono bits built
for Debian and putting them on Fedora and expecting them to work (or
vice versa).

~spot


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]