On Thu, 2004-10-28 at 23:40 +0200, Matias Féliciano wrote: > But I am tired with this mix of authentification, quality, rawhide mean > "don't complain", trust own unsigned rawhide rpm but don't trust own > unsigned rpm if it's not rawhide, ... arguments. I think it's more of a question of attaching a different meaning to things. You see signing the Rawhide packages as a way to know that they were not altered on a mirror, such that you are sure of downloading the actual code produced by Red Hat. However, Peter and Jeff see signing the package as having the same value as your signature on a legal document: certification of something of value. As such, Fedora releases and updates (even beta releases) are signed, but Rawhide releases are not. Both points of view make sense, but they attach different meanings to the concept of "signing" something. My *interpretation* of what you wanted is that you would get exactly what you want by having people sign the metadata in the repository as was suggested earlier. You can then be certain that whatever is in the repo is exactly what it should be. Now, how do we sign repo metadata? Cheers, -- Rodolfo J. Paiz <rpaiz@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part