Should Fedora rpms be signed?
Peter Jones
pjones at redhat.com
Fri Nov 5 16:10:35 UTC 2004
On Thu, 2004-11-04 at 23:45 +0100, Féliciano Matias wrote:
> Le jeudi 04 novembre 2004 à 15:37 -0500, Peter Jones a écrit :
> > Also note that those which are signed are currently signed by hand, and
> > one thing people have been advocating is automatic signing. Automatic
> > signing, I'll obviously argue, is a total loss.
>
> What is a ssl server if it's not an automatic signing machine ?
> Total loss...
That's completely ignoring the contexts of package distribution and the
policies put in place by current package update tools. None of them
trust packages *just* because they are fetched over SSL, nor do they
reject packages which aren't.
--
Peter
More information about the fedora-test-list
mailing list