Les Mikesell <lesmikesell <at> gmail.com> writes:
But what if
it is the src rpm that is compromised so the builds will be identical
because they both contain the modification?
That is not exactly the compromise of the build system and/or Fedora key, now is
it? If your own contributors are subverting the system by uploading borked
source, the mutli-key system isn't going to help (and I never claimed that).
For people that are not convinced in the usefulness of this (in principle), go
the a bank and try to open an account. See if they'll be OK with you producing
just one piece of ID.
--
Bojan