nodata wrote: > A recent scam involving fake updates to Fedora has highlighted the lack of > signed RPMs for Fedora Core. What do you mean? | [angenenr@localhorst packages]$rpm -K samba-common-3.0.6-2.fc2.i386.rpm | samba-common-3.0.6-2.fc2.i386.rpm: (sha1) dsa sha1 md5 gpg OK Fedora Core RPMs (as livna.org RPMs and fedora.us RPMs and dag's RPMs and freshrpm's RPMs) *are* cryptographically signed. > "All official updates for Red Hat products are digitally signed and should > not be installed unless they are correctly signed and the signature is > verified." > -- http://www.redhat.com/security/ Look, it even says so in the advisory! > What does the list think about signed RPMs - are they unnecessary for a > community project, or are they useful? You're talking about rawhide? | [angenenr@localhorst tmp]$rpm -v -K zsh-4.2.0-3.i386.rpm | zsh-4.2.0-3.i386.rpm: | Header V3 DSA signature: OK, key ID 4f2a6fd2 | Header SHA1 digest: OK (4bd8d06387d5c7175b60bf200fb84a229d79b7d4) | MD5 digest: OK (16cc40302ebfd42dc2bc1d7f47cd7ded) | V3 DSA signature: OK, key ID 4f2a6fd2 Seems to be signed also. Ralph
Attachment:
pgp4ulgGU670F.pgp
Description: PGP signature