Time to resurrect multi-key signatures in RPM?
Bojan Smojver
bojan at rexursive.com
Tue Aug 26 03:27:43 UTC 2008
Tom Lane <tgl <at> redhat.com> writes:
> Yup, packagers are going to do that, sure...
That was the intention, yes. Packagers would notify all signatories (with a
signed e-mail) that they've built a new package destined for updates and that
signatories should review and sign it. We're still working out the details of
making sure packages are are genuine in another thread :-)
I guess from Red Hat's point of view, the only difference would be that Fedora
packages would not be valid unless signed and uploaded back to updates by
(required number of) other signatories.
--
Bojan
More information about the devel
mailing list