On Tue, Aug 26, 2008 at 03:27:43 +0000,
Bojan Smojver <bojan(a)rexursive.com> wrote:
I guess from Red Hat's point of view, the only difference would be that Fedora
packages would not be valid unless signed and uploaded back to updates by
(required number of) other signatories.
I don't think you are really going to gain much from doing that. And there
is certainly going to be a lot of pain associated with that. It creates
extra work, adds delays, and adds a dependence on third parties. And it
doesn't completely prevent people from getting bad code signed.