On Mon, 1 Nov 2004, Peter Jones wrote: > On Fri, 2004-10-29 at 09:44 -0500, Ian Pilcher wrote: > > Jeff Spaleta wrote: > > > > > > Can rawhide packages be automatically signed... of course > > > Does autosigning help the intended, well informed, audience of the > > > rawhide packages... yes > > > Does autosigning hurt the unintended, un-informed or mis-informed > > > audience... i think it does. > > > > > > > So you're suggesting that the use of signed packages should be limited > > by some "least common denominator" of ignorant users? I suspect that > > if you broadly adopt that principle, you won't be real happy with the > > results. > > No, this is the wrong problem to discuss. The problem isn't that the > users are ignorant. The problem is that we've systematically taught > them what to expect a signature means, and we're going back and saying > that sometimes -- only sometimes -- it only means part of that. > > That's a serious flaw, and it's one we must address before we consider > implementing any sort of automatic signatures. The way to do so is to > separate the task of verifying the source (or even the chain of sources, > if there are mirrors of mirrors) from that of verifying trust of the > contents. Are you saying - currently when a package is gpg-signed by a person - he/she actually goes through a manual process of verifying the following? - source is not tampered (including the intial .tar.gz, patches, .spec files) - binary is not tampered - source -> binary process didn't introduce 'ANY' tampering? If not - I don't see any big change - as far as user perception goes on gpg-sigining on build system. For us users there is no confusion: - 'rawhide-key' is different from 'redhat-key' - so there is no confusion here. - 'gpg' singed packages doesn't => stability (aka rawhide can always eat data) - so no confusion here.. Satish