On Tue, Oct 26, 2004 at 04:03:46PM -0600, Rodolfo J. Paiz wrote: > His point was that if the package is not signed, then it is easier for > someone to substitute a trojan package on a mirror server. He's arguing > that signing packages would add one level of useful security (or "trust" > if you will, in that at least you would know that the package you > downloaded had been built at Red Hat or by the Fedora Project. The question is what should it be signed by I guess. Red Hat don't trust or warrant rawhide packages.