Should Fedora rpms be signed?
Andrew
cmkrnl at speakeasy.net
Fri Oct 29 15:09:14 UTC 2004
> On Fri, October 29, 2004 02:08 PM Jeff Spaleta wrote:
> you can grab the signed metadata with the md5sums, check the sig on that.
> and then do a md5sum check comparing the md5sum values in the metadata
> and the package. You can do the md5sum check by hand. This isn't much
> different than the situation with the isos. How do you verify you are
> using the correct isos? you check the md5sums against an md5sum list.
> How do you check the validity of the md5sum list?
> You check the md5sum list signature.
Amen!!!!!! Thank you for restating that again. I was hoping when you
presented that before it would put all this to rest.
Thats how digital signatures "work". I think that is really the
BEST solution for this whole problem.
>
> You might argue it would be a good idea if there was a signed flat
> md5sum list for all packages as well as the xml metadata, so the
> md5sum command could use it. And then I'll tell you, you need to
> accept the inevitable future of xml for all possible human
> communication adopted by unanimous United Nations resolution, and you
> should fix md5sum to parse xml structure files for md5sum sigs :->
Exactly!
> Can rawhide packages be automatically signed... of course
> Does autosigning help the intended, well informed, audience of the
> rawhide packages... yes
> Does autosigning hurt the unintended, un-informed or mis-informed
> audience... i think it does.
>
> -jef
>
I and think the latter is a bigger and worse impact than the
benefit of the former!
Andrew
More information about the test
mailing list