Should Fedora rpms be signed?
Peter Jones
pjones at redhat.com
Mon Nov 1 23:11:26 UTC 2004
On Mon, 2004-11-01 at 14:51 -0600, Satish Balay wrote:
> - Here the assumption is: EVERONE's perception about gpg-signed rpms
> (or rawhide) is the same.
No, just that a significant number of people to make us all miserable
believe it means more than "the vendor says this is the one you meant to
download".
> - And perception is no excuse for proper documentaion.
But when proper documentation and perception differ, perception has
already won. I agree, we should document whatever is agreed upon. But
let's not agree on something unlike the real world's current perception.
That's just silly.
And still, proper documentation is no excuse for non-explicit data
formats.
> - There will always be wrong assumptions by users. This doesn't equate
> to not signing-rawhide-packages. [And documenting it]
The proposal for signing rawhide packages does nothing to dissuade those
wrong assumptions, even though it's a relatively easy thing.
> And as Matias already pointed out - lets not mix QA perception with
> 'signature'.
And let's not mix "signature" with "signature on one piece of data that
makes a specific claim". We don't have the latter, and it's best not to
use the former at places where it's important for people to have the
more limited set of expectations.
--
Peter
"Traveling through hyperspace isn't like dusting crops, boy."
-- Solo
More information about the fedora-test-list
mailing list