Should Fedora rpms be signed?
Matias Féliciano
feliciano.matias at free.fr
Thu Oct 28 20:14:57 UTC 2004
Le jeudi 28 octobre 2004 à 15:01 -0400, Jeff Spaleta a écrit :
> On Thu, 28 Oct 2004 19:38:02 +0200, Matias Féliciano
> <feliciano.matias at free.fr> wrote:
> > ????
> > "createrepo --addsign ...." is better than "rpm --addsign *.rpm" ?
> > Why ?
> >
> > > Then there's no misplaced trust on the package, as you'd get by signing
> > > it, but there is verification that it is the right package.
> >
> > ???? You mean I should not trust the right package ?
>
>
> Rawhide packages...by there very nature shouldn't be trusted.
Rawhide packages should be trusted as rawhide package.
Without signature, what seems to be Rawhide package can be anything.
> Rawhide
> packages may in no unspecified order:
> eat your children
> pollute your network
> eat your children
> destroy your data
> eat your chidren
>
> The problem here is interpretation of what signing a package is meant
> to mean. You really really really want it to be used for something
> new, to imply a level of trust intermediate of what its beeen
> traditionally used for and no signing at all. The LOSS, in this case,
> is confusion as to what it means when a package is signed.
signed package, mean signed package.
Go to the gnupg documentation if you want to learn more :
http://www.gnupg.org/documentation/index.html
> (snip)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041028/80669059/attachment.sig>
More information about the fedora-test-list
mailing list