Package XYZ is not signed
Nicolas Mailhot
nicolas.mailhot at laposte.net
Mon Oct 29 08:26:01 UTC 2007
Le Lun 29 octobre 2007 08:27, Till Maas a écrit :
> On So Oktober 28 2007, Andrew Farris wrote:
>
>> prevent that either (in rawhide). Testing rawhide isn't for boxes
>> with
>> corporate sensitive data...
>
> This seems not to be common knowledge, because afaik even Fedora
> Maintainers use Rawhide on a system, where they create new packages.
And it's totally unrealistic because the only people who're going to
sit before a test box without real data are people paid for testing
(ie not community contributors).
You can't have it both ways - either you pay people to do testing on
fake safe data (very expensive), or you have volunteers testing on
their own systems (with their own data), and you have to work a
minimum so you only eat this data in very rare cases.
>> Actually signing the package from the build system would change very
>> little
>> other than insure that the mirror you're downloading from did not
>> bring in
>> a new package that doesn't belong.
>
> Imho it is a big benefit,
And even kernel.org does it so anyone who feels autosigning packages
before uploading to the root mirrors is "unprofessional" can complain
on LKML and get educated :).
Regards,
--
Nicolas Mailhot
More information about the fedora-devel-list
mailing list