How? Would it make you feel better if the fake updates had installed
a
signature first? Or told you that you had to install a new key from the
fake site? The ONLY thing that signatures tell you is that the RPM has
been signed with a particular key, that's it.
An rpm signed by Red Hat tells me that Red Hat signed it.
No signature == no install.
Many of the releases in Rawhide are not signed, why not?
The only thing that was shown is that there are potentially people
that
will blindly follow directions from any random e-mail they recieve.
(I leave to others to explain the difference between "Fedora Core" RPMs
(that are signed) and "Rawhide" RPMs (which may or may not be signed).)
--
William Hooper
--