On Mon, 1 Nov 2004, Peter Jones wrote: <snip> > It says that we intended to release it in a form that is fit to be used. I don't see any problem with this reasoning for rawhide. 'form that is fit to be used' here would imply 'testing'. > (Although clearly it does not imply any warranty, including the implied > warranties of merchantability and fitness for a particular purpose ;) > > It says we believe that the actual data in the package headers -- the > scriptlets, the triggers, the conflicts, the provides, etc. -- are of a > quality that Fedora believes is sufficient for release. rawhide is not a release - so no one will confuse signed packages in rawhide as 'release quality' - and won't eat 'data'. - so no conflict here. > These things are Red Hat's and Fedora's value add, and a signature > says that we believe we've actually added value. Yes - no conflict here. (there is value added in rawhide) > It also conveys that some packager whom we trust has looked over the > payload and does not consider its contents to be *hostile* to our users. This is the primary point of difference. Personally - I'd like to know EXACTLY whats done by the package signer to gaurentee 'no' tampering 'anywhere'. (source/binary/process). My contention is - not much difference other than a 'cursory' check. > Consider RHEL errata. When RH releases an erratum, the signature > doesn't just say "this is some package from Red Hat". It says that > you can use the signature, combined with the checksums and the data > in the erratum. For what can they be used? No one confuses RHEL errata with Fedora errata - or with rawhide. (none of them are interchangable). So there is no conflict of concepts on signing on this pont (wrt rawhide). > You should already know the answer here. What the signature > provides is a way to verify Red Hat's intent and belief that the > package in the user's hands does actually fix the problems described > in the erratum, and to some (lesser) extent that it does not > introduce more problems No confusion here either - as rawhide packages are never mistaken for erratum packages. And each branch (RHEL/fedora/rawhide) should have its own differnet gpg-keys anyway. Satish