Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nodata said:
>> How?  Would it make you feel better if the fake updates had installed a
>>  signature first? Or told you that you had to install a new key from
>> the fake site?  The ONLY thing that signatures tell you is that the RPM
>> has been signed with a particular key, that's it.
>
> An rpm signed by Red Hat tells me that Red Hat signed it.
> No signature == no install.

Have you read the fake e-mail?  RPM was never mentioned.  And again, if
you are falling for an e-mail that has you run an arbitrary script, any
key can be installed to look like a Red Hat key.

> Many of the releases in Rawhide are not signed, why not?

This has been discussed over and over, so look at the archives.  Basically
it boils down to the Rawhide RPMs being automatically generated when there
isn't always someone around to sign them.  Since the whole point of
Rawhide is to get new bits out the door the choice is made not to hold
them for a live body to sign them.

-- 
William Hooper


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]