Otto Liljalaakso writes:
Kevin Fenzi kirjoitti 2.11.2022 klo 20.33:So, I suppose the web interface could offer signed copies if they exist, but might be confusing if you don't know what the various keys short hash is. Feel free to file a RFE for koji folks: https://pagure.io/kojiI personally will not, because I have been happily downloading the unsigned builds from Koji for testing, thus I cannot really present the case. But perhaps somebody who would prefer, or insists on, using only signed builds wants to?
Given the package URLs are https:// URLs to the fedoraproject.org domain, their downloads are effectively signed by fedoraproject.org's SSL certificate, which is comparably cryptographically strong as PGP-signed RPMs.
Without having any direct knowledge of the process that PGP-signs the built RPMs, I suppose that it's theoretically possible for fedoraproject.org's web server to be compromised, which would allow for distribution of compromised RPMs, without compromising the PGP-signing infrastructure. But, in exceptional situations like the current one, everyone can weigh all the risk factors and make an intelligent decision by themselves.
Attachment:
pgpPcvNgnDW86.pgp
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
