Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-10-29 at 14:06 -0400, Paul Iadonisi wrote:
> On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote:
> > On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote:
> 
> [snip]
> 
> > > I see no downside. Since you do, can you provide more detail on what and
> > > why?
> > 
> > I see no downside in repo metadata signing either, it's a good thing
> > actually. But it is not an argument on why packages shouldn't be signed
> > individually.
> 
>   Um...did I miss something?  I didn't see anyone suggest *replacing*
> package signing with repo metadata signing.  It's just an added measure
> to help ensure that what is on the mirrors is what is on the official
> Red Hat repo.  Granted, you still need yum or up2date to use that
> information, but it's still a net gain.  In particular for when some
> packages don't get signed, which seems to be what this thread is about
> (today, anyhow ;-)).
>   At least, I sure *hope* no one was suggesting foregoing package
> signing.  Cuz that would be bad. :-)

Umm yeah. Some people were proposing that Rawhide packages should not be
signed at all. I myself think this is a bad idea and that all packages,
regardless of their quality, should be signed. Hey even more so with bad
packages I want to know who's responsible ;-).

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]