On Sun, 04 Jul 2004 14:29:04 +0200, Leonard den Ottolander wrote: > Hi, > > A question regarding submission policy > (http://www.fedora.us/wiki/PackageSubmissionQAPolicy): > Item 4: Why does one need to rpm --resign instead of rpmbuild --sign, > and why as a different user? Especially the latter puzzles me. In one word: paranoia. The user account used to do the compilation should not have access to any security relevant files, including GPG private keys. It all boils down to just another matter of trust. If packager does trust upstream developers and upstream source tarball integrity, rpmbuild --sign is not considered a problem. > I think it's a good idea to also add this explanation to that page. Most likely an even better idea is to move it onto the PackagingHints page.
