On Mon, 5 Nov 2012 18:55:51 +0100 Till Maas <opensource@xxxxxxxxx> wrote: > Rawhide is not intended to be used for anything important and with any > security sensitive data because the used packages are not signed. > Whenever I asked to get Rawhide packages signed I was also told that > it is, because of Rawhide's use case. Everybody using Rawhide for > example to maintainer Fedora packages is endangering the Fedora > project. I am pretty sure there was a plan to make koji sign packages. I don't know what the status of it is however. I would personally love to see koji sign all official builds with a "This was built in koji" key. > Nevertheless, I still believe it would be better if Fedora started to > provide signed packages directly from Koji including Rawhide to end > this problem. I agree. Any koji folks have any ideas on the status of this feature request? Oh look: https://fedorahosted.org/koji/ticket/203 Looks like there are patches there... anyone able to test or provide more feedback to get it moving? > But looking at the current fedup code it seems that > Fedora is going to be the first distribution that abandons package > security more and more instead of trying to improve it. As far as I > know starting with preupgrade doing insecure updates were promoted > and now they are going to be made mandatory (except for the > unsupported yum update method). Please file bugs/patches? I'd like fedup to verify packages if it doesnt already. I'm sure others would too. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
