Time to resurrect multi-key signatures in RPM?
Bruno Wolff III
bruno at wolff.to
Tue Aug 26 07:13:08 UTC 2008
On Tue, Aug 26, 2008 at 03:27:43 +0000,
Bojan Smojver <bojan at rexursive.com> wrote:
> I guess from Red Hat's point of view, the only difference would be that Fedora
> packages would not be valid unless signed and uploaded back to updates by
> (required number of) other signatories.
I don't think you are really going to gain much from doing that. And there
is certainly going to be a lot of pain associated with that. It creates
extra work, adds delays, and adds a dependence on third parties. And it
doesn't completely prevent people from getting bad code signed.
More information about the devel