Ready for new RPM version?
jonathan at jonmasters.org
Fri Feb 27 21:30:22 UTC 2009
On Fri, 2009-02-27 at 13:21 -0800, Adam Williamson wrote:
> On Fri, 2009-02-27 at 16:01 -0500, Jon Masters wrote:
> > On Fri, 2009-02-27 at 12:14 -0800, Adam Williamson wrote:
> > > On Fri, 2009-02-27 at 13:24 +0100, Till Maas wrote:
> > > > On Fr Februar 27 2009, Adam Williamson wrote:
> > > >
> > > > > It would be nice to have everyone who works on Rawhide, work *from*
> > > > > Rawhide. I suspect this would make people generally less keen to break
> > > > > stuff. =)
> > > >
> > > > I hope that nobody does this, because the rpm packages for Rawhide are not
> > > > signed and therefore should not be trusted.
> > >
> > > Huh. I didn't know that. Is there some reason why not? Is it the manual
> > > signing thing?
> > It's not actually just that though, due to the amount of churn, open ACL
> > lists, and so forth, I think you'd need to do a lot more before you
> > could go using rawhide for day-to-day stuff. Of course people more
> > trusting than myself will happily argue otherwise :)
> Hmm. As far as I can see, signing Rawhide packages would still have
> value, in that it would prove that the package was created either by an
> approved maintainer of that package or by a Proven Packager, and was
> properly built through the official build system (it should, anyway, if
> the signing process is properly situated at the end of the above process
> and can't be accessed in any other way).
Yeah, still doesn't protect against the guy who introduces a new package
today that includes an updated configuration for my VPN client, or my
email client, or a host of other stuff I might be using and rely upon.
IMHO it's not the place of the development branch of a distribution to
provide the level of protection from such things. This is why I run my
tests mostly on old hardware or on virtual machines - I copy stuff into
the virtual machine, have only toy passwords on it, etc. It's not a
perfect protection, but I view it as a reasonable precaution against
"kitten consumption" or even malicious attempts to harm Fedora.
More information about the devel