Time to resurrect multi-key signatures in RPM?

Bruno Wolff III bruno at wolff.to
Tue Aug 26 07:13:08 UTC 2008


On Tue, Aug 26, 2008 at 03:27:43 +0000,
  Bojan Smojver <bojan at rexursive.com> wrote:
> 
> I guess from Red Hat's point of view, the only difference would be that Fedora
> packages would not be valid unless signed and uploaded back to updates by
> (required number of) other signatories.

I don't think you are really going to gain much from doing that. And there
is certainly going to be a lot of pain associated with that. It creates
extra work, adds delays, and adds a dependence on third parties. And it
doesn't completely prevent people from getting bad code signed.




More information about the fedora-devel-list mailing list