On Fri, 2004-10-29 at 20:15 +0200, Nils Philippsen wrote: [snip] > Umm yeah. Some people were proposing that Rawhide packages should not be > signed at all. I myself think this is a bad idea and that all packages, > regardless of their quality, should be signed. Hey even more so with bad > packages I want to know who's responsible ;-). Umm, yeah, then. I see your gripe. And I share it. I do NOT, however think that an automated signing procedure (password-less, or key stored in an agent or an expect script) is a good idea, regardless of whether or not Red Hat is doing that at the moment. I'd rather have the majority of rawhide packages signed (as they are today) and the few non- signed ones (the several hundred after FC3T1 or FC3T2 being the exception, not the rule) verifiable via a signed list of md5sums. One thing isn't clear to me, though. I thought the reason that not every package was signed in rawhide was because the person(s) with key signing authority was not available at the time the package was pushed to rawhide. If this is the case, that implies that the rawhide key is not, in fact, password-less and the key is not stored in an agent, nor is the password embedded in some expect script. It requires manually typing the password. So if that's the case, what do I make of Matias Féliciano's post where he referenced a page on Red Hat's site (sorry, I don't have the reference handy) that indicated that the rawhide key *was* in fact password-less? -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets