On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
On Wed, 31 Dec 2003 02:42:28 -1000, Warren Togami wrote:
> rpm-4.2.2 in rawhide and all future versions should discourage the use
> of rpmbuild --sign. Perhaps this can be done effectively by adding a
> large and annoying warning message and 15 second delay. Or disable it
> completely. I don't care how, just discouragement should be done.
This is an over-ambitious proposal. How do you want to prevent users from
test-driving a built binary rpm with their normal user account where the
malicious software has access to many other security relevant data?
People don't build src.rpms for fun. They build them to install
packages as root (!) and then to use them from within their normal user
He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'
The problem is well explained, and only who doesn't believe a trojan
could be inject in apparently good source code (ie, downloaded from
, for instance -- ever heard of dns spoofs?) doesn't understand.
When I build RPMS for AbiWord, I build the RPMS with a specific user for
rpmbuilding, and sign the rpms afterward with my key, on my account.
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.