Meeting summary/minutes from today's FESCo meeting (2010-09-14)

Bruno Wolff III bruno at
Thu Sep 16 20:15:09 UTC 2010

On Thu, Sep 16, 2010 at 18:48:03 +0200,
  Till Maas <opensource at> wrote:
> Latest design decisions for package management tools include to sign and
> verify packages before they are installed. Rawhide RPMs are afaik not
> signed, therefore using it for any non testing system that might contain
> sensitive data is not a good decision.

I believe there is a proposal to sign all packages in either bohdi or koji
at some point. Signing would only indicate the package was build on Fedora
infrastructure, which is slightly less checking than gets done now, but
is probably good enough since there is already a lot of trust going on.

More information about the devel mailing list