Development to Official

Jesse Keating jkeating at redhat.com
Thu Oct 25 14:20:51 UTC 2007


On Thu, 25 Oct 2007 16:10:59 +0200
Till Maas <opensource at till.name> wrote:

> What is the problem with an automated signing process?[1] It cannot
> be worse than the current situation where rawhide rpms are only
> available in unsecure ways for the common user. When the ssl
> certificate for koji is changed to one from a trusted ca, then at
> least they are available there, but it is still a lot more work than
> to just using a mirror. And I guess it is not intended to use koji as
> a repository.

Because it really doesn't offer much protection.  All it really says is
"this fell out of koji", which there is /some/ level of comfort about
that, but not much.

More scary to me is that with the signing server going to be so fresh I
just don't want to hook an automated process up to it, one that could
potentially be exploited to gain access to more important keys.
It's the paranoid in me.

-- 
Jesse Keating
Fedora -- All my bits are free, are yours?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20071025/26ebf9a6/attachment.sig>


More information about the fedora-devel-list mailing list