Package Signing/GPG Key Management Questions
Chris
hap10 at tycho.ncsc.mil
Mon Jul 24 16:49:29 UTC 2006
Could someone shed light on the process for GPG signing of packages in
the Extras repository? I briefly searched the archives, but found only
an inconclusive argument about its usefulness.
How does the Extras package signing process differ from Base/Updates?
I know RPM-GPG-KEY-fedora-extras sits alongside RPM-GPG-KEY-fedora, but
who has control of the Extras signing key? Is checking for a CLA on
file the extent of vetting done to submitted packages (assuming they
meet all other packaging criteria outlined in the Wiki)?
It would be most helpful to have a sketch of what the ultimate signer (a
RH employee?) does before he/she decides it's OK to sign the package
with the official fedora-extras key.
Many thanks,
Chris
More information about the fedora-extras-list
mailing list