Should Fedora rpms be signed?

Nils Philippsen nphilipp at redhat.com
Fri Oct 29 13:36:47 UTC 2004


On Fri, 2004-10-29 at 09:18 -0400, William Hooper wrote:
> John Burton said:
> [snip]
> > As far as signing packages vs. signing meta-data... Digital signatures
> > are like real signatures, you want to make sure they are actually attached
> > to what you are signing.
> [snip]
> 
> IIRC the discussion was that signed meta-data would have the signatures
> attached to the MD5sums of the packages.  The MD5sums of the download
> could then be checked against the meta-data, verifying that the package is
> the same as the package used to create the meta-data.

This still forces me to use special tools like up2date and yum to access
the packages if I want to verify their origins.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011




More information about the test mailing list