Unsigned packages in yum in FC4T1
David Hollis
dhollis at davehollis.com
Mon Apr 4 13:33:28 UTC 2005
On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote:
>
> We had that discussion with FC3 devel (or was it FC2?) already -- I
> argued that we should somehow ensure that all packages leaving the build
> system (i.e. getting pushed) would be signed with at least some key to
> ensure package integrity while others argued that this would somehow
> suggest a level of quality in the package which isn't given. The
> discussion didn't lead anywhere tangible unfortunately.
>
It seems to me that the purpose of the sig is not so much as a guarantee
of quality, as opposed to an insurance that the package hasn't been
tampered (especially if you are pulling packages off of mirrors).
Granted, that isn't how everyone else may interpret it, but I'd rather
see all rawhide packages signed so that if I'm pulling from a mirror I
can feel reasonably assured that someone isn't slipping some badness
into my firefox update or whatever.
--
David Hollis <dhollis at davehollis.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050404/8cfd97c2/attachment.sig>
More information about the fedora-devel-list
mailing list