Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le dimanche 31 octobre 2004 à 13:35 +0100, Nils Philippsen a écrit :
> On Fri, 2004-10-29 at 12:45 -0600, Rodolfo J. Paiz wrote:
> As outlined above, the process of signing repo metadata and the process
> of signing individual packages isn't that much different in that it
> needs someone or -thing to do the signing. I think signing repo metadata
> is good to augment the signing of packages in that someone certifies a
> specific set of packages, which is a benefit if you e.g. think of some
> bad guy trying to inject a (signed) iptables package into a mirror
> repository that by whatever problem wouldn't work together with the
> kernel already in there.
> 

A "Conflict" field in the rpm is a better solution.

> On the other hand the argument that we should use the presence of a (Red
> Hat) signature as a measure of quality is rather moot in my eyes as I
> have had a number of my packages out there with great difference in
> quality and all of them signed, even with a non-Rawhide key ;-). We have
> to teach the people who think about the signature being a sign of
> quality instead of origin about its real meaning, we shouldn't conform
> to their ill views.

Interesting.
There is _nothing_ that describe Test release and Rawhide. Nothing.
Red Hat did a brilliant job in describing what Fedora is (section About
of fedora.redhat.com).
Red Hat may describe Test release and Rawhide.
These informations may also be in the fedora-release package.

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]