On Tue, 2004-10-26 at 15:13 +0200, nodata wrote: > > This has been discussed over and over, so look at the archives. Basically > > it boils down to the Rawhide RPMs being automatically generated when there > > isn't always someone around to sign them. Since the whole point of > > Rawhide is to get new bits out the door the choice is made not to hold > > them for a live body to sign them. > > Then perhaps rawhide should be signed with a separate key that signs the > packages without a live body. > If this is done then it severely reduces the relevance of having them signed in the first place. My understanding is that, when a package is "signed" by redhat, a human steps up to the plate, does certain verifications, then puts in the pass phrase, and hey presto you have a signed package. Your suggestion automates the whole process, and drastically reduces the security model. Personally, I am 100% happy for the sandpit to continue to be unsigned, so long as test/released packages are signed, I am happy. To me, rawhide is only half a step away from CVS, should the CVS access (once made public) also have every thing GPG signed? Doug -- Douglas Furlong Systems Administrator Firebox.com T: 0870 420 4475 F: 0870 220 2178
Attachment:
signature.asc
Description: This is a digitally signed message part