Should Fedora rpms be signed?

[William Hooper]

nodata said:
[snip]
> Aside from the verifications carried out by the human (I'm not sure what
> these are), the signed package from Red Hat would have one important
> advantage over an unsigned package from Red Hat - that it really did pass
>  through one of the Red Hat build servers.

As the Fedora process opens up this distinction becomes less and less
important.  Who's to say the malicious person isn't a previously trusted
contributor who has decided to work on a different project?  Or, as others
have pointed out, the build server itself has been cracked?

--
William Hooper