Rawhide
Kevin Fenzi
kevin at scrye.com
Mon Nov 5 18:32:07 UTC 2012
On Mon, 5 Nov 2012 18:55:51 +0100
Till Maas <opensource at till.name> wrote:
> Rawhide is not intended to be used for anything important and with any
> security sensitive data because the used packages are not signed.
> Whenever I asked to get Rawhide packages signed I was also told that
> it is, because of Rawhide's use case. Everybody using Rawhide for
> example to maintainer Fedora packages is endangering the Fedora
> project.
I am pretty sure there was a plan to make koji sign packages. I don't
know what the status of it is however.
I would personally love to see koji sign all official builds with a
"This was built in koji" key.
> Nevertheless, I still believe it would be better if Fedora started to
> provide signed packages directly from Koji including Rawhide to end
> this problem.
I agree. Any koji folks have any ideas on the status of this feature
request?
Oh look:
https://fedorahosted.org/koji/ticket/203
Looks like there are patches there... anyone able to test or provide
more feedback to get it moving?
> But looking at the current fedup code it seems that
> Fedora is going to be the first distribution that abandons package
> security more and more instead of trying to improve it. As far as I
> know starting with preupgrade doing insecure updates were promoted
> and now they are going to be made mandatory (except for the
> unsupported yum update method).
Please file bugs/patches?
I'd like fedup to verify packages if it doesnt already. I'm sure others
would too.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121105/66ac15a8/attachment.sig>
More information about the devel
mailing list