On So Oktober 28 2007, Andrew Farris wrote:
prevent that either (in rawhide). Testing rawhide isn't for boxes with corporate sensitive data...
This seems not to be common knowledge, because afaik even Fedora Maintainers use Rawhide on a system, where they create new packages.
Actually signing the package from the build system would change very little other than insure that the mirror you're downloading from did not bring in a new package that doesn't belong.
Imho it is a big benefit, because it is very easy for a mirror maintainer to change a package. Also someone who breaks into a mirror can easily cause heavy damage. And last but not least, the manipulation of the package can also happen on the connection to the mirror, e.g. on conferences with free/open wifi/internet access.
Regards, Till