vsftpd in the news
Nils Philippsen
nils at redhat.com
Tue Jul 5 09:13:26 UTC 2011
On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote:
> On 07/04/2011 10:53 PM, Paul Wouters wrote:
> > It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
> > automatically check the tar ball.
>
> Hm, yes. It would be nice to see Koji support checking source sigs. OBS
> already does so. Seeing as Debian has done this for years with the
> source .deb including a signature file, RPM >4.9 could support sigs for
> the Source0 file.
Making Source0 a special case sounds rather dirty to me, if at all such
functionality should be available for all source files (and patches
eventually).
Furthermore, just having a signature file doesn't help a bit if you
can't be sure who created the signature... and I suspect if we were to
restrict ourselves to upstream packages that a) have gpg signatures b)
from keypairs not more than a certain "distance" (web-of-trust-wise)
away from a known good keypair, we'd be able to trim down the package
repositories substantially ;-). So for the time being I guess we should
stick with letting package maintainers check this (of there is anything
to check).
Nils
--
Nils Philippsen "Those who would give up Essential Liberty to purchase
Red Hat a little Temporary Safety, deserve neither Liberty
nils at redhat.com nor Safety." -- Benjamin Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
More information about the devel
mailing list