Should Fedora rpms be signed?
William Hooper
whooperhsd3 at earthlink.net
Tue Oct 26 14:35:11 UTC 2004
nodata said:
[snip]
> Aside from the verifications carried out by the human (I'm not sure what
> these are), the signed package from Red Hat would have one important
> advantage over an unsigned package from Red Hat - that it really did pass
> through one of the Red Hat build servers.
As the Fedora process opens up this distinction becomes less and less
important. Who's to say the malicious person isn't a previously trusted
contributor who has decided to work on a different project? Or, as others
have pointed out, the build server itself has been cracked?
--
William Hooper
More information about the fedora-test-list
mailing list