On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote: > I see no downside in repo metadata signing either, it's a good thing > actually. But it is not an argument on why packages shouldn't be signed > individually. > Sigh... backing up a few steps for historical clarification: Matías argued that, because *some* Rawhide packages are not signed, one does not have for those packages *any* ability to see that what is on a mirror is in fact exactly what came out of the Red Hat buildsystem. He argued pro signing of all Rawhide packages. Others argued that this has either no value or negative value. A debate ensued as to whether passwordless keys would be better than nothing or worse than nothing. Someone suggested that, for those Rawhide packages which were not signed, one possible way to get that benefit of knowing that package XYZ on Server A is bit-identical to the one on the main Rawhide server was to sign the repo metadata. It was suggested that this would provide an additional benefit to the rest of the world, at no real downside. I really liked the idea and said basically that if this has good benefit and no real downside, then how do we get it done? You came on scene and started arguing that it was a Bad Thing which would destroy the world as we know it. ;-) We now realize that you are not "contra repo signing" but rather "pro package signing". So welcome to the club. I am also pro package signing, but some Rawhide packages are not signed and at least repo signing helps provide some benefit, and I like that benefit. Matías is vehemently pro signing *every* package, and some people have responded that they either don't want to sign all Rawhide packages, or perhaps even don't want to sign any Rawhide packages. I'll leave exact interpretations to you when you read through the archived thread. Now... the whole point of this thread is now to: 1. Argue that all packages should be signed, even all Rawhide. There appear to be strong feelings either way. 2. In context, it also appeared that repo signing could also be implemented as an *additional* measure that would provide some good benefits. I have not seen any arguments against that other than yours. What do you think of those two thoughts? Cheers, -- Rodolfo J. Paiz <rpaiz@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part