icecat or/and firefox?
luto at mit.edu
Mon Jan 27 19:28:46 UTC 2014
On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima at gmail.com> wrote:
> On 27.01.2014 19:52, Kevin Fenzi wrote:
>> copr has no provision currently to sign packages.
>> I think it's on the todo list, but it will not be easy to implement in
>> a secure way.
I'm skeptical about the whole package-signing thing. Why don't we
sign repository metadata and have that metadata store hashes of the
appropriate packages? Then adding a key for a repository wouldn't
magically allow that key to sign packages claiming to come from a
different repository. It would also prevent various
Configuration could be simpler, too:
metalink_key=[private key, specified right here]
I doubt that GPG's keyring concepts or web-of-trust stuff add any
security whatsoever to things like rpm and yum. They do, however,
make configuration unnecessarily arcane.
More information about the devel