Should Fedora rpms be signed?

Jeff Spaleta jspaleta at gmail.com
Thu Oct 28 21:33:50 UTC 2004 

On Thu, 28 Oct 2004 15:17:18 -0600, Rodolfo J. Paiz
<rpaiz at simpaticus.com> wrote:
> Even though I believe you have some interesting points, pointing very
> experienced programmers such as Dave and Jeff to the GNUPG docs is
> downright insulting and (I would say) entirely inappropriate.

Uhm, as flattering as this is.. its really not in your best interest
to hold me up as an example of a 'very experienced programmer' (unless
you are of course talking about programming in terms of mind control
and personality reprogramming.)
I've said it before and I'll say it again, I'm just a small dog who
barks... a lot.

And frankly I would much rather see Matias citing much much much more
specific authoritative documentation, or compelling historical
discussion that have come before that can be used for guidance in the
current discussion as back up for his personal opinions. Its much
easier to discuss our way past disagreements when the disagreement can
be viewed in context of authoritive documentation and precedent
setting discussion that have gone on elsewhere. But as it stands we
are stock in a discussion on par with "less filling/tastes great."  If
anything i looked at Matias attempt to point me to useful
documentation as a way forward, out of the cycle of dispair. It was
the first truly noteworthy attempt at education and resolution that
I've seen from Matias, and I thank him for it.

Sadly I've taken the time to follow his instructions and I have
re-read the bulk of the documentation at the gnupg site hoping to find
anything that speaks to the risks and benefits of automated
signing..and im not seeing much. I see a short discussion on how to do
automated signing with gnupg (barely relevant to rpm's specific
implementation), but not much in terms of what it "means" to do
automated signing in terms of expected security, in the context of
generally accepted understanding of what signing a package means for
the userbase.

-jef"far more willing to read documentation then to listen to personal
opinion"spaleta

More information about the test mailing list