Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le jeudi 28 octobre 2004 à 15:01 -0400, Jeff Spaleta a écrit :
> On Thu, 28 Oct 2004 19:38:02 +0200, Matias Féliciano
> <feliciano.matias@xxxxxxx> wrote:
> > ????
> > "createrepo --addsign ...." is better than "rpm --addsign *.rpm" ?
> > Why ?
> > 
> > > Then there's no misplaced trust on the package, as you'd get by signing
> > > it, but there is verification that it is the right package.
> > 
> > ???? You mean I should not trust the right package ?
> 
> 
> Rawhide packages...by there very nature shouldn't be trusted.

Rawhide packages should be trusted as rawhide package.
Without signature, what seems to be Rawhide package can be anything.

>  Rawhide
> packages may in no unspecified order:
> eat your children
> pollute your network
> eat your children
> destroy your data
> eat your chidren
> 
> The problem here is interpretation of what signing a package is meant
> to mean. You really really really want it to be used for something
> new, to imply a level of trust intermediate of what its beeen
> traditionally used for and no signing at all. The LOSS, in this case,
> is confusion as to what it means when a package is signed.

signed package, mean signed package.
Go to the gnupg documentation if you want to learn more :
http://www.gnupg.org/documentation/index.html

> (snip)

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]