Zbigniew Jędrzejewski-Szmek wrote:
I don't buy that reasoning. You sign stuff to prevent silent
modification (because of malice or corruption), and not to track
changes, we have better mechanisms for that.
Signing is much more than an integrity proof for which hash values would
suffice.The fact that some upstream sign their code (in particular when
the code is security critical) means that they're willing to take responsifility for
the code in the form "they signed it off". It is sometimes very easy to ruin
a secure system by modifying it (with a patch or some code in the spec file
doesn't matter). That's why I thought it might make sense for the packager
to take responsibility for his modifications by signing them.
The changelog don't really reflect the modifications in enough detail.