Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Mon, 1 Nov 2004, Peter Jones wrote:

> On Mon, 2004-11-01 at 17:34 -0600, Satish Balay wrote:
> > Ok - you & Seth seem to have a solution to the problem.
> > 
> > Still no good explanation why ALL keys should be treated the same.
> 
> Because there's nothing about a key that tells you how to treat it.

Thats because the 'user' decides how to use the key - and had a choice
to differenciate.

> > To me 'rehdat-key' is different from 'linva-key' etc. And I think
> > rawhide can do the same.
> > 
> > The analogy I keep thinking is 'my signature' is differnet than
> > 'RedHat's CEO's signature' treating both to mean the same is nuts..
> 
> But the signature isn't different in kind.  You just "know" which
> documents one is good on and which one isn't. But we don't have that
> kind of knowledge for all keys.  We don't know which repositories each
> key is good for what on, and making the infrastructure to tell that
> about keys is a lot of work.  Making the infrastructure for a key to
> sign something which tells us is significantly easier, I think.

Ok - here you want the key to carry additional pay-load - and the
infracture tools automatically use/manage this info.

But I'm thinking the user manages keys - and assigns meaning to it.
For eg: I'd like to be able to say:

- if updates signed with 'fedora.us-key' give me a big fat warning. 
- if update signed with 'fedora.us-key' && foo-bar-key - go ahead and
  install. (where foo-bar user contributed that package to fedora.us)

I guess both modes should be possible.

Satish


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]