Package warning - Rawhide

Rahul Sundaram sundaram at
Sun Oct 12 09:27:30 UTC 2008

Ralf Corsepius wrote:
> On Sun, 2008-10-12 at 14:27 +0530, Rahul Sundaram wrote:
>> Hi,
>> The PackageKit warning for every single unsigned package - which happens 
>> to be everything in rawhide is just plain annoying. Can't we do 
>> something nice about that?
> The rationale for exposing users to the risks of using unsigned packages
> has always escaped me, even less in the light of "The incident".
> I.e. IMO, the "only correct  approach" would be to only have signed
> packages in rawhide.

I rarely find common ground with you but in this instance, I completely 
agree. Is time delay the reason behind not signing packages? There is a 
pretty big difference between unstable or development software packages 
and potentially trojaned ones. This is not just for rawhide. Many of us 
including me run rawhide for a large time of the Fedora development 
cycle, a security exploit in one of our machines via a bad rawhide 
mirror can result in malicious packages being pushed to stable 
repositories or other even worse issues. We should take this attack 
vector seriously.


More information about the fedora-devel-list mailing list