Should Fedora rpms be signed?
Nils Philippsen
nphilipp at redhat.com
Fri Oct 29 18:15:53 UTC 2004
On Fri, 2004-10-29 at 14:06 -0400, Paul Iadonisi wrote:
> On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote:
> > On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote:
>
> [snip]
>
> > > I see no downside. Since you do, can you provide more detail on what and
> > > why?
> >
> > I see no downside in repo metadata signing either, it's a good thing
> > actually. But it is not an argument on why packages shouldn't be signed
> > individually.
>
> Um...did I miss something? I didn't see anyone suggest *replacing*
> package signing with repo metadata signing. It's just an added measure
> to help ensure that what is on the mirrors is what is on the official
> Red Hat repo. Granted, you still need yum or up2date to use that
> information, but it's still a net gain. In particular for when some
> packages don't get signed, which seems to be what this thread is about
> (today, anyhow ;-)).
> At least, I sure *hope* no one was suggesting foregoing package
> signing. Cuz that would be bad. :-)
Umm yeah. Some people were proposing that Rawhide packages should not be
signed at all. I myself think this is a bad idea and that all packages,
regardless of their quality, should be signed. Hey even more so with bad
packages I want to know who's responsible ;-).
Nils
--
Nils Philippsen / Red Hat / nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
More information about the fedora-test-list
mailing list