nodata said: >> How? Would it make you feel better if the fake updates had installed a >> signature first? Or told you that you had to install a new key from >> the fake site? The ONLY thing that signatures tell you is that the RPM >> has been signed with a particular key, that's it. > > An rpm signed by Red Hat tells me that Red Hat signed it. > No signature == no install. Have you read the fake e-mail? RPM was never mentioned. And again, if you are falling for an e-mail that has you run an arbitrary script, any key can be installed to look like a Red Hat key. > Many of the releases in Rawhide are not signed, why not? This has been discussed over and over, so look at the archives. Basically it boils down to the Rawhide RPMs being automatically generated when there isn't always someone around to sign them. Since the whole point of Rawhide is to get new bits out the door the choice is made not to hold them for a live body to sign them. -- William Hooper