Unsigned packages in yum in FC4T1
Michael A. Peters
mpeters at mac.com
Tue Apr 5 04:03:05 UTC 2005
On 04/04/2005 06:33:28 AM, David Hollis wrote:
> On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote:
>
> >
> > We had that discussion with FC3 devel (or was it FC2?) already -- I
> > argued that we should somehow ensure that all packages leaving the
> build
> > system (i.e. getting pushed) would be signed with at least some key
> to
> > ensure package integrity while others argued that this would
> somehow
> > suggest a level of quality in the package which isn't given. The
> > discussion didn't lead anywhere tangible unfortunately.
> >
>
> It seems to me that the purpose of the sig is not so much as a
> guarantee
> of quality, as opposed to an insurance that the package hasn't been
> tampered (especially if you are pulling packages off of mirrors).
> Granted, that isn't how everyone else may interpret it, but I'd
> rather
> see all rawhide packages signed so that if I'm pulling from a mirror
> I
> can feel reasonably assured that someone isn't slipping some badness
> into my firefox update or whatever.
Exactly - that's the purpose of a signature, verify that it comes from
a trusted source. The GPL which most software is shipped as
specifically states there is no guarantee of quality, a signature does
not change that ... but a signature does say that the package has not
been tampered with between the signing server and the mirror my yum
client grabbed it from.
--
Michael A. Peters
http://mpeters.us/
More information about the fedora-devel-list
mailing list