Should Fedora rpms be signed?
seth vidal
skvidal at phy.duke.edu
Tue Oct 26 22:12:12 UTC 2004
On Tue, 2004-10-26 at 18:10, Alexandre Oliva wrote:
> On Oct 26, 2004, seth vidal <skvidal at phy.duke.edu> wrote:
>
> >> Just don't let yum install packages that aren't signed. How about
> >> you start a rawhide mirror with the following properties: if a
> >> package is not signed, it won't be in your mirror; you'll keep the
> >> previous version of such package instead.
>
> > Then it would not be a rawhide mirror. It would be a rawhide distortion.
>
> > mirror implies an identical reflection. :)
>
> Well, not quite. Plane mirrors do. And, even then, there's a small
> delay for the light to get from you to the mirror and back, so when
> you see your image in the mirror, you're no longer what you're seeing
> there :-) This wouldn't be that different :-)
These locations should not even advertise themselves as ATTEMPTED
mirrors. b/c they are not doing that. At least the current mirrors are
making a good-faith effort to be in sync.
> No dispute here. But if it could, later on, realize that the package
> was signed and use http interval fetch tricks to obtain only the
> signature, it would be way cool.
difficult with the signature it makes it harder to just get-byte-range
changes b/c the file moves around a bit.
-sv
More information about the test
mailing list