FC3T2 up2date - <package> is not signed with a GPG signature
William Hooper
whooperhsd3 at earthlink.net
Wed Sep 29 12:14:56 UTC 2004
Matias Feliciano said:
> Le mer 29/09/2004 à 03:35, William Hooper a écrit :
>
>> Matias Feliciano said:
>> [snip]
>>
>>>
>>> rpm --addsign *.rpm. One time per day (for rawhide). I don't know if
>>> rpm can sign in batch mode.
>>
>> What security will that give you? Any hacked RPM just has to get into
>> rawhide for 24 hours or less and it is automatically signed...
>>
>
> If you don't trust Fedora, don't use Fedora.
You are side stepping the question.
[snip]
> Without signature any rpm package that claim to come from Rawhide is
> suspect
And with yoiur suggestion a signature just means it came from the main
server and speaks nothing if it was actually supposed to be there.
The manual process that is used with releases is the right one. You know
that package is supposed to be there because a human signed it. Rawhide
moves to fast for that. Rather than half-assing it and adding a
meaningless signature, the choice is made to not sign the packages. If
you don't feel comfortable with that, don't use Rawhide.
--
William Hooper
More information about the fedora-test-list
mailing list