John Poelstra <poelstra <at> redhat.com> writes: > * Draft spec for the signing server by f13 is here: http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft Just one comment here, regarding the draft itself. The Fedora Account System would be used for authentication, which makes sense, but a single compromised account may mean trojaned packages. I know, not very likely (Or is it? Do we force password complexity on folks? Mandatory password changes?), but better be paranoid... Would it be possible to organise that multiple authorised users have to approve the package for signing before it actually gets signed? That way there are at least some checks and balances in the system. -- Bojan -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
