Should Fedora rpms be signed?
Matias Féliciano
feliciano.matias at free.fr
Sun Oct 31 13:55:43 UTC 2004
Le dimanche 31 octobre 2004 à 13:35 +0100, Nils Philippsen a écrit :
> On Fri, 2004-10-29 at 12:45 -0600, Rodolfo J. Paiz wrote:
> As outlined above, the process of signing repo metadata and the process
> of signing individual packages isn't that much different in that it
> needs someone or -thing to do the signing. I think signing repo metadata
> is good to augment the signing of packages in that someone certifies a
> specific set of packages, which is a benefit if you e.g. think of some
> bad guy trying to inject a (signed) iptables package into a mirror
> repository that by whatever problem wouldn't work together with the
> kernel already in there.
>
A "Conflict" field in the rpm is a better solution.
> On the other hand the argument that we should use the presence of a (Red
> Hat) signature as a measure of quality is rather moot in my eyes as I
> have had a number of my packages out there with great difference in
> quality and all of them signed, even with a non-Rawhide key ;-). We have
> to teach the people who think about the signature being a sign of
> quality instead of origin about its real meaning, we shouldn't conform
> to their ill views.
Interesting.
There is _nothing_ that describe Test release and Rawhide. Nothing.
Red Hat did a brilliant job in describing what Fedora is (section About
of fedora.redhat.com).
Red Hat may describe Test release and Rawhide.
These informations may also be in the fedora-release package.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041031/7bdd3f89/attachment.sig>
More information about the fedora-test-list
mailing list