Should Fedora rpms be signed?
nodata
fedora at nodata.co.uk
Tue Oct 26 13:13:51 UTC 2004
>
> nodata said:
>>> How? Would it make you feel better if the fake updates had installed a
>>> signature first? Or told you that you had to install a new key from
>>> the fake site? The ONLY thing that signatures tell you is that the RPM
>>> has been signed with a particular key, that's it.
>>
>> An rpm signed by Red Hat tells me that Red Hat signed it.
>> No signature == no install.
>
> Have you read the fake e-mail? RPM was never mentioned. And again, if
> you are falling for an e-mail that has you run an arbitrary script, any
> key can be installed to look like a Red Hat key.
My original post:
"A recent scam involving fake updates to Fedora has highlighted the lack of
signed RPMs for Rawhide" (prev: Fedora Core)
As in: "Red Hat's recent commentary on this has made me check that all
RPMs that Red Hat issues are really from Red Hat".
>> Many of the releases in Rawhide are not signed, why not?
>
> This has been discussed over and over, so look at the archives. Basically
> it boils down to the Rawhide RPMs being automatically generated when there
> isn't always someone around to sign them. Since the whole point of
> Rawhide is to get new bits out the door the choice is made not to hold
> them for a live body to sign them.
Then perhaps rawhide should be signed with a separate key that signs the
packages without a live body.
More information about the test
mailing list