Should Fedora rpms be signed?
Rodolfo J. Paiz
rpaiz at simpaticus.com
Thu Oct 28 23:44:02 UTC 2004
On Thu, 2004-10-28 at 23:40 +0200, Matias Féliciano wrote:
> But I am tired with this mix of authentification, quality, rawhide mean
> "don't complain", trust own unsigned rawhide rpm but don't trust own
> unsigned rpm if it's not rawhide, ... arguments.
I think it's more of a question of attaching a different meaning to
things. You see signing the Rawhide packages as a way to know that they
were not altered on a mirror, such that you are sure of downloading the
actual code produced by Red Hat. However, Peter and Jeff see signing the
package as having the same value as your signature on a legal document:
certification of something of value. As such, Fedora releases and
updates (even beta releases) are signed, but Rawhide releases are not.
Both points of view make sense, but they attach different meanings to
the concept of "signing" something.
My *interpretation* of what you wanted is that you would get exactly
what you want by having people sign the metadata in the repository as
was suggested earlier. You can then be certain that whatever is in the
repo is exactly what it should be.
Now, how do we sign repo metadata?
Cheers,
--
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041028/844291a1/attachment.sig>
More information about the fedora-test-list
mailing list