nodata said: [snip] > Aside from the verifications carried out by the human (I'm not sure what > these are), the signed package from Red Hat would have one important > advantage over an unsigned package from Red Hat - that it really did pass > through one of the Red Hat build servers. As the Fedora process opens up this distinction becomes less and less important. Who's to say the malicious person isn't a previously trusted contributor who has decided to work on a different project? Or, as others have pointed out, the build server itself has been cracked? -- William Hooper