Should Fedora rpms be signed?

[Alexandre Oliva]

On Oct 26, 2004, seth vidal <skvidal at phy.duke.edu> wrote:

>> Just don't let yum install packages that aren't signed.  How about
>> you start a rawhide mirror with the following properties: if a
>> package is not signed, it won't be in your mirror; you'll keep the
>> previous version of such package instead.

> Then it would not be a rawhide mirror. It would be a rawhide distortion.

> mirror implies an identical reflection. :)

Well, not quite.  Plane mirrors do.  And, even then, there's a small
delay for the light to get from you to the mirror and back, so when
you see your image in the mirror, you're no longer what you're seeing
there :-)  This wouldn't be that different :-)

> You could download the header from the package and look beyond it to see
> if there are any non-md5/sha1 signatures and if any of those are gpg
> signatures. However, you won't be able to know if it passes the sig
> check w/o downloading the whole package. And boy would that suck for the
> user.

No dispute here.  But if it could, later on, realize that the package
was signed and use http interval fetch tricks to obtain only the
signature, it would be way cool.

>> It's unlikely that signed packages will have dependencies on unsigned
>> packages, because of the way signing is done, so odds are that, given
>> daily rawhide pushes, you'd be able to move forward quite regularly.

> except that testing would crawl to a halt on the unsigned packages.

Which would be a good reason for the key bearers :-) to actually sign
packages that go to rawhide more often.

-- 
Alexandre Oliva             http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}