Should Fedora rpms be signed?
nodata
fedora at nodata.co.uk
Tue Oct 26 11:17:54 UTC 2004
> nodata wrote:
>> A recent scam involving fake updates to Fedora has highlighted the lack
>> of
>> signed RPMs for Fedora Core.
>
> What do you mean?
>
> | [angenenr at localhorst packages]$rpm -K samba-common-3.0.6-2.fc2.i386.rpm
> | samba-common-3.0.6-2.fc2.i386.rpm: (sha1) dsa sha1 md5 gpg OK
>
> Fedora Core RPMs (as livna.org RPMs and fedora.us RPMs and dag's RPMs
> and freshrpm's RPMs) *are* cryptographically signed.
>
>> "All official updates for Red Hat products are digitally signed and
>> should
>> not be installed unless they are correctly signed and the signature is
>> verified."
>> -- http://www.redhat.com/security/
>
> Look, it even says so in the advisory!
>
>> What does the list think about signed RPMs - are they unnecessary for a
>> community project, or are they useful?
>
> You're talking about rawhide?
>
> | [angenenr at localhorst tmp]$rpm -v -K zsh-4.2.0-3.i386.rpm
> | zsh-4.2.0-3.i386.rpm:
> | Header V3 DSA signature: OK, key ID 4f2a6fd2
> | Header SHA1 digest: OK (4bd8d06387d5c7175b60bf200fb84a229d79b7d4)
> | MD5 digest: OK (16cc40302ebfd42dc2bc1d7f47cd7ded)
> | V3 DSA signature: OK, key ID 4f2a6fd2
>
> Seems to be signed also.
>
> Ralph
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-test-list
Packages for Fedora Core test (rawhide) aren't always signed.
Why?
More information about the test
mailing list