Time to resurrect multi-key signatures in RPM?

Bojan Smojver bojan at rexursive.com
Tue Aug 26 08:51:05 UTC 2008

Bruno Wolff III <bruno <at> wolff.to> writes:

> And adds another. If one of those third parties goes belly up, then Fedora
> is going to have to take extraordinary measures to get packages signed in
> a way that will be axxepted again.

Not true. As I mentioned before, the criteria would be that package is signed
with N good keys. So, resigning with someone else's key would be sufficient to
overcome this.

BTW, third parties do not have to be companies. They can be trusted Fedora
contributors, for instance.


More information about the fedora-devel-list mailing list