warning to list

[Ricardo Veguilla]

On Tue, 2004-10-26 at 16:03 -0600, Rodolfo J. Paiz wrote:
> On Mon, 2004-10-25 at 22:16 -0400, Ricardo Veguilla wrote:
> > Quoting Matias
> > > By not signing their rpm in rawhide, Red Hat "force" me to take risk
> > > (fake rpm, ...) for _nothing_. I don't want to take these risks.
> > >
> > 
> > Its funny because I agree that it will be good if rawhide rpms were
> > signed, but I was only pointing out that if you choose to use
> > unsupported beta software for critical tasks, you can't say the provider
> > forced you to be at risk... it was your choice to use it. 
> > 
> 
> His point was not that Red Hat forced him to use a beta, for God's sake.

Again, please read more carefully before replying. You don't seem to be
reading what I wrote. Re-read my paragraph above and tell me where do I
claim that "Matias says Red Hat is forcing him to use a beta"? 

The point he made (and which is the only thing I criticizing) was that
since he is using rawhide (beta/test/devel software) Red Hat is forcing
him to be at risk because rawhide packages are not signed.  

> His point was that if the package is not signed, then it is easier for
> someone to substitute a trojan package on a mirror server. He's arguing
> that signing packages would add one level of useful security (or "trust"
> if you will, in that at least you would know that the package you
> downloaded had been built at Red Hat or by the Fedora Project.

Like I said I agree that it will be good if the rpm were signed.

> That's it. Argue against that, if you will, but your continued argument
> about his using (or not) a beta is simply based on not understanding
> Matías's original point.

Like I said, I don't have to argue against "that" (signed rpm being a
good idea) because I agree with "that". 

If you want to continue arguing about this, feel free to email me
privately.

Regards,
-- 
Ricardo Veguilla <veguilla at hpcf.upr.edu>