On Mon, 1 Nov 2004, Jeff Spaleta wrote: > On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay <balay@xxxxxxxxxxx> wrote: > > But unless you are saing: somehow the current non-gpg-signed packages > > are preventing such folks from doing the wrong things (listed above) - > > and 'gpg-singing' encourages them to do them - your text adds no > > substance to the discussion. > > Fine ill repeat myself...again. > > Yes... i firmly believe...that long term... as tools become more > signature aware and tools become more demanding that signatures be > present on consumable rpms, that signing throw away packages like > rawhide packages encourages people to use those packages out of > context, and encourages people to store individual rawhide packages > for later use on other systems, instead of encouraging people to using > a full rawhide collection. I (as a clueless user) can do the same thing with unsigned packages. gpg doesn't encourage anything new to the clueless user. > > We can argue about the techical definition of what gpg-signing > means. lets not > This is a matter of common peception as to what signing a package > means, and what vendors has historically wanted people to think > signing a package means... in the context of rpm's implementation of > signing and not in the context of gnupg's or pgp's general purpose > implementation. And I argue that historically... rpm package > signing has meant more than "built on this host" and that many > vendors including Red Hat have meant it to mean more than "built on > this host." And i will argue that until rpm get support for the > trust metric concept using signed keys, signing rawhide packages > encourages people to "trust" rawhide packages. Where "trust" is a > quantifiable measurement based on key signatures. -jef - Here the assumption is: EVERONE's perception about gpg-signed rpms (or rawhide) is the same. - And perception is no excuse for proper documentaion. - There will always be wrong assumptions by users. This doesn't equate to not signing-rawhide-packages. [And documenting it] And as Matias already pointed out - lets not mix QA perception with 'signature'. Satish