Should Fedora rpms be signed?

Matias Féliciano feliciano.matias at free.fr
Mon Nov 1 18:02:48 UTC 2004


Le lundi 01 novembre 2004 à 11:47 -0500, Peter Jones a écrit :
> On Sat, 2004-10-30 at 01:11 +0200, Matias Féliciano wrote:
> 
> > Since rawhide have some unsigned packages I like to know which package
> > is not signed and I sign them with my key (so yum always have
> > "gpgcheck=1") :
> > I mirror rawhide in the i386 directory with rsync, and then I sign
> > package that miss gpg.
> > Note, I don't sign (that is, change) any package in i386 directory
> > (rsync does not like this).
> 
> When somebody organizes a man-in-the-middle attack between you and
> whichever site you rsync rawhide from , you sign the packages anyway.
> Can you see how this is a big problem?
> 

I don't understand your point.
If you think what I am doing is completely useless, you are right.

I just enjoy a placebo effect :-)

Second point, right now there are three unsigned packages :
rpmdb-fedora-3-0.20041101.i386.rpm
gthumb-2.4.2-4.i386.rpm
fedora-release-3-rawhide.noarch.rpm

Should I set "gpgcheck=0" in yum.conf only for these three package ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041101/f49ac81e/attachment.sig>


More information about the fedora-test-list mailing list