[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Safety of rpmbuild --sign?



I was just thinking...

Who uses rpmbuild --sign rather than rpm --addsign for package signing? 
While rpmbuild --sign works, isn't there the possibility for security
danger if you build a package with a trojan in the build system?  It
could *possibly* read your ~/.gnupg directory and send it over the
Internet, right?

I personally always keep the build user and signer separated.  I am
gaining a small bit of safety right?

Warren Togami
warren@togami.com





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []