Should Fedora rpms be signed?

William Hooper whooperhsd3 at earthlink.net
Thu Oct 28 12:29:05 UTC 2004


Matias Féliciano said:
> Le mardi 26 octobre 2004 à 08:25 -0400, William Hooper a écrit :
>
>> nodata said:
>>> A recent scam involving fake updates to Fedora has highlighted the
>>> lack of signed RPMs for Fedora Core.
>>
>> How?  Would it make you feel better if the fake updates had installed a
>>  signature first?
>
> Impossible. gpg check is done _before_ installing the package.

Very possible. The fake updates weren't directly an RPM, the instructions
had you run a shell script.

-- 
William Hooper




More information about the fedora-test-list mailing list