Should Fedora rpms be signed?
Rodolfo J. Paiz
rpaiz at simpaticus.com
Thu Oct 28 21:37:47 UTC 2004
On Thu, 2004-10-28 at 15:01 -0400, Jeff Spaleta wrote:
>
> You want to be able to have faith that mirrors are trustable? Is that
> the extent of the goal?
> Having signed metadata will serve much better as a verification that a
> mirror is serving up mirrored packages correctly, without implying ANY
> extra trustability to individual packages.
> The metadata has md5sums for each package, to verify the integrity of
> each package in the mirror. And signed metadata itself lets you verify
> the mirror is servering up what the master repository expects, without
> implying any trust to individual packages. Check the metadata
> signature, then check the md5sums of each package against the metadata
> at that mirror....that works, without changing the meaning of what
> signing a package means.
>
"Servering"? <grin>
That sounds like a *great* idea, and one that does in fact respond well
to the question of making sure that the mirror is serving the exact
package which came out of the buildsystem.
It is also an idea which will provide more and more value over time as
Fedora's developer community grows larger and more open.
Now, how does that idea get implemented?
Cheers,
--
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041028/86d2c0b3/attachment.sig>
More information about the fedora-test-list
mailing list