Update Announcement Format discussion
Jesse Keating
jkeating at j2solutions.net
Mon Jan 12 18:11:02 UTC 2004
On Monday 12 January 2004 02:51, Warren Togami wrote:
> There are several reasons why this is a bad idea:
>
> 1) Advisories just don't happen so often to necessitate this.
Maybe not, but it helps to streamline the process and further ensure
uniformity in the announcements.
> 2) http://www.fedora.us/LEGACY
> Higher priority to actually work on the packages, which have been
> stalled there for several days.
There are people in the community that do not have the
resources/capabilities to perform the QA on packages, yet still wish to
contribute to the project. We should not block work from being done by
some people, just because there is more "important" work to be done by
others.
> 3) This is a HUGE security risk. You should never have an important
> signing key like advisory or package signing on any Internet
> accessible host, especially with the security risk of something like
> PHP or perl and apache. The signing key for packages and advisories
> should be on a secured host with no public services, used for NO
> OTHER PURPOSE.
>
> (i.e. fedora.us signing does not happen at www.fedora.us.)
Which is why this form does not sign the content, rather sends it back
to the user or signer in a complete text form, so that the signer can
then sign the content and publish it.
--
Jesse Keating RHCE MCSE (geek.j2solutions.net)
Fedora Legacy Team (www.fedora.us/wiki/FedoraLegacy)
Mondo DevTeam (www.mondorescue.org)
GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)
Was I helpful? Let others know:
http://svcs.affero.net/rm.php?r=jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20040112/18eb0a63/attachment.sig>
More information about the fedora-legacy-list
mailing list