On 04/04/2005 06:33:28 AM, David Hollis wrote:
On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote:
>
> We had that discussion with FC3 devel (or was it FC2?) already -- I
> argued that we should somehow ensure that all packages leaving the
build
> system (i.e. getting pushed) would be signed with at least some key
to
> ensure package integrity while others argued that this would somehow
> suggest a level of quality in the package which isn't given. The
> discussion didn't lead anywhere tangible unfortunately.
>
It seems to me that the purpose of the sig is not so much as a
guarantee
of quality, as opposed to an insurance that the package hasn't been
tampered (especially if you are pulling packages off of mirrors).
Granted, that isn't how everyone else may interpret it, but I'd rather
see all rawhide packages signed so that if I'm pulling from a mirror I
can feel reasonably assured that someone isn't slipping some badness
into my firefox update or whatever.
Exactly - that's the purpose of a signature, verify that it comes from a trusted source. The GPL which most software is shipped as specifically states there is no guarantee of quality, a signature does not change that ... but a signature does say that the package has not been tampered with between the signing server and the mirror my yum client grabbed it from.
-- Michael A. Peters http://mpeters.us/
