On Monday 12 January 2004 02:51, Warren Togami wrote: > There are several reasons why this is a bad idea: > > 1) Advisories just don't happen so often to necessitate this. Maybe not, but it helps to streamline the process and further ensure uniformity in the announcements. > 2) http://www.fedora.us/LEGACY > Higher priority to actually work on the packages, which have been > stalled there for several days. There are people in the community that do not have the resources/capabilities to perform the QA on packages, yet still wish to contribute to the project. We should not block work from being done by some people, just because there is more "important" work to be done by others. > 3) This is a HUGE security risk. You should never have an important > signing key like advisory or package signing on any Internet > accessible host, especially with the security risk of something like > PHP or perl and apache. The signing key for packages and advisories > should be on a secured host with no public services, used for NO > OTHER PURPOSE. > > (i.e. fedora.us signing does not happen at www.fedora.us.) Which is why this form does not sign the content, rather sends it back to the user or signer in a complete text form, so that the signer can then sign the content and publish it. -- Jesse Keating RHCE MCSE (geek.j2solutions.net) Fedora Legacy Team (www.fedora.us/wiki/FedoraLegacy) Mondo DevTeam (www.mondorescue.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating
Attachment:
pgp00171.pgp
Description: signature
