Time to resurrect multi-key signatures in RPM?
Bojan Smojver
bojan at rexursive.com
Wed Aug 27 21:42:15 UTC 2008
Les Mikesell <lesmikesell <at> gmail.com> writes:
> But what if
> it is the src rpm that is compromised so the builds will be identical
> because they both contain the modification?
That is not exactly the compromise of the build system and/or Fedora key, now is
it? If your own contributors are subverting the system by uploading borked
source, the mutli-key system isn't going to help (and I never claimed that).
For people that are not convinced in the usefulness of this (in principle), go
the a bank and try to open an account. See if they'll be OK with you producing
just one piece of ID.
--
Bojan
More information about the fedora-devel-list
mailing list