Should Fedora rpms be signed?

William Hooper whooperhsd3 at earthlink.net
Tue Oct 26 13:01:49 UTC 2004


nodata said:
>> How?  Would it make you feel better if the fake updates had installed a
>>  signature first? Or told you that you had to install a new key from
>> the fake site?  The ONLY thing that signatures tell you is that the RPM
>> has been signed with a particular key, that's it.
>
> An rpm signed by Red Hat tells me that Red Hat signed it.
> No signature == no install.

Have you read the fake e-mail?  RPM was never mentioned.  And again, if
you are falling for an e-mail that has you run an arbitrary script, any
key can be installed to look like a Red Hat key.

> Many of the releases in Rawhide are not signed, why not?

This has been discussed over and over, so look at the archives.  Basically
it boils down to the Rawhide RPMs being automatically generated when there
isn't always someone around to sign them.  Since the whole point of
Rawhide is to get new bits out the door the choice is made not to hold
them for a live body to sign them.

-- 
William Hooper




More information about the fedora-test-list mailing list