Time to resurrect multi-key signatures in RPM?

[Bojan Smojver]

Tom Lane <tgl <at> redhat.com> writes:

> Yup, packagers are going to do that, sure...

That was the intention, yes. Packagers would notify all signatories (with a
signed e-mail) that they've built a new package destined for updates and that
signatories should review and sign it. We're still working out the details of
making sure packages are are genuine in another thread :-)

I guess from Red Hat's point of view, the only difference would be that Fedora
packages would not be valid unless signed and uploaded back to updates by
(required number of) other signatories.

--
Bojan