Re: Submission policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 04 Jul 2004 14:29:04 +0200, Leonard den Ottolander wrote:

> Hi,
> 
> A question regarding submission policy
> (http://www.fedora.us/wiki/PackageSubmissionQAPolicy):
> Item 4: Why does one need to rpm --resign instead of rpmbuild --sign,
> and why as a different user? Especially the latter puzzles me.

In one word: paranoia.

The user account used to do the compilation should not have access to
any security relevant files, including GPG private keys. It all boils
down to just another matter of trust. If packager does trust upstream
developers and upstream source tarball integrity, rpmbuild --sign is
not considered a problem.

> I think it's a good idea to also add this explanation to that page.

Most likely an even better idea is to move it onto the PackagingHints
page.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux