Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris: > If you keep an eye on where your packages are coming from, even for rawhide, > then you can be sure that only authorized maintainers have put them into the > system (control which mirrors you're pulling them from). Actually signing the > package from the build system would change very little other than insure that > the mirror you're downloading from did not bring in a new package that doesn't > belong. It worries me massively, from a security perspective, that someone from inside Red Hat would say something as wrong as this. > > So as it stands, you have to extend trust to the maintainers, and the mirror. > You can pick which mirror you trust. > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
