> > nodata said: >>> How? Would it make you feel better if the fake updates had installed a >>> signature first? Or told you that you had to install a new key from >>> the fake site? The ONLY thing that signatures tell you is that the RPM >>> has been signed with a particular key, that's it. >> >> An rpm signed by Red Hat tells me that Red Hat signed it. >> No signature == no install. > > Have you read the fake e-mail? RPM was never mentioned. And again, if > you are falling for an e-mail that has you run an arbitrary script, any > key can be installed to look like a Red Hat key. My original post: "A recent scam involving fake updates to Fedora has highlighted the lack of signed RPMs for Rawhide" (prev: Fedora Core) As in: "Red Hat's recent commentary on this has made me check that all RPMs that Red Hat issues are really from Red Hat". >> Many of the releases in Rawhide are not signed, why not? > > This has been discussed over and over, so look at the archives. Basically > it boils down to the Rawhide RPMs being automatically generated when there > isn't always someone around to sign them. Since the whole point of > Rawhide is to get new bits out the door the choice is made not to hold > them for a live body to sign them. Then perhaps rawhide should be signed with a separate key that signs the packages without a live body.