> nodata wrote: >> A recent scam involving fake updates to Fedora has highlighted the lack >> of >> signed RPMs for Fedora Core. > > What do you mean? > > | [angenenr@localhorst packages]$rpm -K samba-common-3.0.6-2.fc2.i386.rpm > | samba-common-3.0.6-2.fc2.i386.rpm: (sha1) dsa sha1 md5 gpg OK > > Fedora Core RPMs (as livna.org RPMs and fedora.us RPMs and dag's RPMs > and freshrpm's RPMs) *are* cryptographically signed. > >> "All official updates for Red Hat products are digitally signed and >> should >> not be installed unless they are correctly signed and the signature is >> verified." >> -- http://www.redhat.com/security/ > > Look, it even says so in the advisory! > >> What does the list think about signed RPMs - are they unnecessary for a >> community project, or are they useful? > > You're talking about rawhide? > > | [angenenr@localhorst tmp]$rpm -v -K zsh-4.2.0-3.i386.rpm > | zsh-4.2.0-3.i386.rpm: > | Header V3 DSA signature: OK, key ID 4f2a6fd2 > | Header SHA1 digest: OK (4bd8d06387d5c7175b60bf200fb84a229d79b7d4) > | MD5 digest: OK (16cc40302ebfd42dc2bc1d7f47cd7ded) > | V3 DSA signature: OK, key ID 4f2a6fd2 > > Seems to be signed also. > > Ralph > -- > fedora-test-list mailing list > fedora-test-list@xxxxxxxxxx > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-test-list Fedora Core test (rawhide) isn't signed. Why?