Meeting summary/minutes from today's FESCo meeting (2010-09-14)
Bruno Wolff III
bruno at wolff.to
Thu Sep 16 20:15:09 UTC 2010
On Thu, Sep 16, 2010 at 18:48:03 +0200,
Till Maas <opensource at till.name> wrote:
>
> Latest design decisions for package management tools include to sign and
> verify packages before they are installed. Rawhide RPMs are afaik not
> signed, therefore using it for any non testing system that might contain
> sensitive data is not a good decision.
I believe there is a proposal to sign all packages in either bohdi or koji
at some point. Signing would only indicate the package was build on Fedora
infrastructure, which is slightly less checking than gets done now, but
is probably good enough since there is already a lot of trust going on.
More information about the devel
mailing list