Le jeudi 28 octobre 2004 à 15:01 -0400, Jeff Spaleta a écrit : > On Thu, 28 Oct 2004 19:38:02 +0200, Matias Féliciano > <feliciano.matias@xxxxxxx> wrote: > > ???? > > "createrepo --addsign ...." is better than "rpm --addsign *.rpm" ? > > Why ? > > > > > Then there's no misplaced trust on the package, as you'd get by signing > > > it, but there is verification that it is the right package. > > > > ???? You mean I should not trust the right package ? > > > Rawhide packages...by there very nature shouldn't be trusted. Rawhide packages should be trusted as rawhide package. Without signature, what seems to be Rawhide package can be anything. > Rawhide > packages may in no unspecified order: > eat your children > pollute your network > eat your children > destroy your data > eat your chidren > > The problem here is interpretation of what signing a package is meant > to mean. You really really really want it to be used for something > new, to imply a level of trust intermediate of what its beeen > traditionally used for and no signing at all. The LOSS, in this case, > is confusion as to what it means when a package is signed. signed package, mean signed package. Go to the gnupg documentation if you want to learn more : http://www.gnupg.org/documentation/index.html > (snip)
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=