Fedora Rel-Eng Meeting Recap 2007-JUL-02
Bojan Smojver
bojan at rexursive.com
Wed Jul 4 00:15:20 UTC 2007
John Poelstra <poelstra <at> redhat.com> writes:
> * Draft spec for the signing server by f13 is here:
http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft
Just one comment here, regarding the draft itself. The Fedora Account System
would be used for authentication, which makes sense, but a single compromised
account may mean trojaned packages. I know, not very likely (Or is it? Do we
force password complexity on folks? Mandatory password changes?), but better be
paranoid...
Would it be possible to organise that multiple authorised users have to approve
the package for signing before it actually gets signed? That way there are at
least some checks and balances in the system.
--
Bojan
More information about the fedora-devel-list
mailing list