Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata: > Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris: > > If you keep an eye on where your packages are coming from, even for rawhide, > > then you can be sure that only authorized maintainers have put them into the > > system (control which mirrors you're pulling them from). Actually signing the > > package from the build system would change very little other than insure that > > the mirror you're downloading from did not bring in a new package that doesn't > > belong. > > It worries me massively, from a security perspective, that someone from > inside Red Hat would say something as wrong as this. Oh, you don't work for Red Hat. Sorry. But your statement is still completely off the field. > > > > So as it stands, you have to extend trust to the maintainers, and the mirror. > > You can pick which mirror you trust. > > > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
