Should Fedora rpms be signed?
Alexandre Oliva
aoliva at redhat.com
Tue Oct 26 22:10:14 UTC 2004
On Oct 26, 2004, seth vidal <skvidal at phy.duke.edu> wrote:
>> Just don't let yum install packages that aren't signed. How about
>> you start a rawhide mirror with the following properties: if a
>> package is not signed, it won't be in your mirror; you'll keep the
>> previous version of such package instead.
> Then it would not be a rawhide mirror. It would be a rawhide distortion.
> mirror implies an identical reflection. :)
Well, not quite. Plane mirrors do. And, even then, there's a small
delay for the light to get from you to the mirror and back, so when
you see your image in the mirror, you're no longer what you're seeing
there :-) This wouldn't be that different :-)
> You could download the header from the package and look beyond it to see
> if there are any non-md5/sha1 signatures and if any of those are gpg
> signatures. However, you won't be able to know if it passes the sig
> check w/o downloading the whole package. And boy would that suck for the
> user.
No dispute here. But if it could, later on, realize that the package
was signed and use http interval fetch tricks to obtain only the
signature, it would be way cool.
>> It's unlikely that signed packages will have dependencies on unsigned
>> packages, because of the way signing is done, so odds are that, given
>> daily rawhide pushes, you'd be able to move forward quite regularly.
> except that testing would crawl to a halt on the unsigned packages.
Which would be a good reason for the key bearers :-) to actually sign
packages that go to rawhide more often.
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}
More information about the fedora-test-list
mailing list