Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Fri Nov 5 06:43:22 UTC 2004
On Thu, 4 Nov 2004, Peter Jones wrote:
> On Thu, 2004-11-04 at 11:33 +0100, Nils Philippsen wrote:
> > On Mon, 2004-11-01 at 18:50 -0500, Peter Jones wrote:
> > > On Mon, 2004-11-01 at 17:34 -0600, Satish Balay wrote:
> > > > Ok - you & Seth seem to have a solution to the problem.
> > > >
> > > > Still no good explanation why ALL keys should be treated the same.
> > >
> > > Because there's nothing about a key that tells you how to treat it.
> >
> > Exactly. There's where "common sense" comes into play, i.e. I shouldn't
> > enable Rawhide repositories if a broken system makes me cry.
>
> We're not just talking about rawhide. We're talking about Axil's repo,
> and Matthais's repo, and the cdparanoia repo on my people.redhat.com
> site, and the repo on Seth's website.
>
> There is no common sense answer to "I have 40 keys signing things and
> none of them specify what the signature means".
>
> Quit thinking that we're talking about one key. We're talking about
> many.
These are arguments for 'a better key-management-policy'
infrastructure. There is no argument here about keeping 'rawhide'
unsigned.
Satish
More information about the fedora-test-list
mailing list