Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Mon Nov 1 19:34:24 UTC 2004
On Mon, 1 Nov 2004, Matias Féliciano wrote:
> A signature, which can be part of a quality process, ensure where the
> information/data/package come from. A signature is not a certificate of
> quality _without_ a quality process.
Totally agree. All the points raised so far were mostly releated to QA
for RHEL.
One can argue that even rawhide has a QA - and the gpg-sign is part of
the QA proces - However the QA for RHEL is totally different from QA
for Fedora (release) - which is different from QA for rawhide. So
there is no conflict in the model - and no good reason yet for not
gpg-signing.
Any argument which says 'users will confuse gpg-signed rawhide
packages as RHEL QA'ed packages' is bogus. (Any user infering this
from the gpg-signautre - and thinks its safe to use rawhide instead of
fedra-core-release/RHEL is nuts)
Satish
More information about the test
mailing list