mono and snk key files

Tom "spot" Callaway tcallawa at
Mon Dec 21 03:11:11 UTC 2009

On 12/19/2009 11:03 AM, Christopher Brown wrote:
> 2009/12/15 Adam Goode <adam at>:
>> On 12/13/2009 06:16 AM, Christopher Brown wrote:
>>> 2009/12/11 Adam Goode <adam at>:
>>>> We should definitely use Debian's key, right? Otherwise some Fedora CLI
>>>> libraries would be unnecessarily incompatible with Debian, and whoever
>>>> else uses Debian's key.
>>>> The whole business of not shipping code-signing keys is a little
>>>> contrary to open source. I think this is something that GPLv3 would
>>>> prohibit. We should use a single well-known signing key for any package
>>>> that we don't have the keys for, I think.
>>> You're right.
>>> This has already been resolved in devel by added mono.snk to the
>>> mono-devel package. I'm just waiting on commit access to make the
>>> required changes to F-11 and F-12 unless someone else wants to do it.
>> It looks like spot generated a new mono.snk. I was arguing to use
>> Debian's mono.snk, for cross-distro compatibility. Shouldn't everyone
>> should use Debian's key unless a package provides its own?
> Ideally we (Fedora and Debian) should use a single key generated by
> upstream but as this issue is only problematic due to cyclic dep
> problems in the build process I think that using our own is enough.
> Unfortunately I don't care enough to chase this issue further.

Yeah, I think there is very little merit in giving any amount of trust
to that key, nor is there any real value in picking up mono bits built
for Debian and putting them on Fedora and expecting them to work (or
vice versa).


More information about the fedora-devel-list mailing list