#6267: sign ostree commits
------------------------------+-----------------------
Reporter: walters | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 23 Final | Component: koji
Resolution: | Keywords:
Blocked By: | Blocking:
------------------------------+-----------------------
Comment (by walters):
Metalink and TLS is good, but it's not a direct replacement for GPG. For
example:
- GPG is inherently "pinned", whereas the TLS default allows all ca-certs
which allows a *lot* of organizations to MITM
- GPG is much easier to verify "offline"
As far as the manual step - I'd be fine with an automated process.
--
Ticket URL: <
https://fedorahosted.org/rel-eng/ticket/6267#comment:2>
Fedora Release Engineering <
http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project