Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2004-11-01 at 14:51 -0600, Satish Balay wrote:

> - Here the assumption is: EVERONE's perception about gpg-signed rpms
> (or rawhide) is the same.

No, just that a significant number of people to make us all miserable
believe it means more than "the vendor says this is the one you meant to
download".

> - And perception is no excuse for proper documentaion. 

But when proper documentation and perception differ, perception has
already won.  I agree, we should document whatever is agreed upon.  But
let's not agree on something unlike the real world's current perception.
That's just silly.

And still, proper documentation is no excuse for non-explicit data
formats.

> - There will always be wrong assumptions by users. This doesn't equate
> to not signing-rawhide-packages. [And documenting it]

The proposal for signing rawhide packages does nothing to dissuade those
wrong assumptions, even though it's a relatively easy thing.

> And as Matias already pointed out - lets not mix QA perception with
> 'signature'.

And let's not mix "signature" with "signature on one piece of data that
makes a specific claim".  We don't have the latter, and it's best not to
use the former at places where it's important for people to have the
more limited set of expectations.

-- 
        Peter

"Traveling through hyperspace isn't like dusting crops, boy."
                -- Solo


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]