On Mon, 1 Nov 2004, Peter Jones wrote:
<snip>
It says that we intended to release it in a form that is fit to be
used.
I don't see any problem with this reasoning for rawhide. 'form that is
fit to be used' here would imply 'testing'.
(Although clearly it does not imply any warranty, including the
implied
warranties of merchantability and fitness for a particular purpose ;)
It says we believe that the actual data in the package headers -- the
scriptlets, the triggers, the conflicts, the provides, etc. -- are of a
quality that Fedora believes is sufficient for release.
rawhide is not a release - so no one will confuse signed packages in
rawhide as 'release quality' - and won't eat 'data'. - so no conflict
here.
These things are Red Hat's and Fedora's value add, and a
signature
says that we believe we've actually added value.
Yes - no conflict here. (there is value added in rawhide)
It also conveys that some packager whom we trust has looked over the
payload and does not consider its contents to be *hostile* to our users.
This is the primary point of difference. Personally - I'd like to know
EXACTLY whats done by the package signer to gaurentee 'no' tampering
'anywhere'. (source/binary/process). My contention is - not much
difference other than a 'cursory' check.
Consider RHEL errata. When RH releases an erratum, the signature
doesn't just say "this is some package from Red Hat". It says that
you can use the signature, combined with the checksums and the data
in the erratum. For what can they be used?
No one confuses RHEL errata with Fedora errata - or with
rawhide. (none of them are interchangable). So there is no conflict of
concepts on signing on this pont (wrt rawhide).
You should already know the answer here. What the signature
provides is a way to verify Red Hat's intent and belief that the
package in the user's hands does actually fix the problems described
in the erratum, and to some (lesser) extent that it does not
introduce more problems
No confusion here either - as rawhide packages are never mistaken for
erratum packages.
And each branch (RHEL/fedora/rawhide) should have its own differnet
gpg-keys anyway.
Satish