Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Mon Nov 1 20:03:02 UTC 2004
On Mon, 1 Nov 2004, Peter Jones wrote:
<lot of text trimed to be digested later - mostly looks like RHEL-QA
vs Fedora-QA vs Rawhide-QA >
> > For us users there is no confusion:
> > - 'rawhide-key' is different from 'redhat-key' - so there is no confusion here.
>
> Make this work in a world where users draw from multiple, unrelated
> repositories. Some people (not very many) know that rawhide-key means
> it isn't for a production release. But Joe Foo's repositories have
> packages signed with joefookey1 and joefookey2. Which is which?
>
> This is not viable.
This is not the problem under discussion. 'Current' rawhide' doesn't
fix it. gpg-signed rawhide won't fix it.
>
> > - 'gpg' singed packages doesn't => stability (aka rawhide can always
> > eat data) - so no confusion here..
>
> The signature *sometimes* does imply that. If the only difference is
> the key, then there's really not any way to tell when.
If you think 'gpg-signing' rawhide packages changes the meaning of
'rawhide' - and adds in stability 'conotation' - I don't know what to
say. I've reached the end of my logical reasoning. Will stop now.
Satish
More information about the test
mailing list