Should Fedora rpms be signed?

[Nils Philippsen]

On Thu, 2004-10-28 at 17:44 -0600, Rodolfo J. Paiz wrote:
> On Thu, 2004-10-28 at 23:40 +0200, Matias Féliciano wrote:
> > But I am tired with this mix of authentification, quality, rawhide mean
> > "don't complain", trust own unsigned rawhide rpm but don't trust own
> > unsigned rpm if it's not rawhide, ... arguments.
> 
> I think it's more of a question of attaching a different meaning to
> things. You see signing the Rawhide packages as a way to know that they
> were not altered on a mirror, such that you are sure of downloading the
> actual code produced by Red Hat. However, Peter and Jeff see signing the
> package as having the same value as your signature on a legal document:
> certification of something of value. As such, Fedora releases and
> updates (even beta releases) are signed, but Rawhide releases are not.
> 
> Both points of view make sense, but they attach different meanings to
> the concept of "signing" something.
> 
> My *interpretation* of what you wanted is that you would get exactly
> what you want by having people sign the metadata in the repository as
> was suggested earlier. You can then be certain that whatever is in the
> repo is exactly what it should be.
> 
> Now, how do we sign repo metadata?

So we (in a very much too broad sense of "we" ;-) are basically saying
that we should replace a mechanism that worked well for years with
another one that a) puts a burden on the people who "know what things
mean", b) doesn't really solve the problem with people doing things they
shouldn't do(*) and c) doesn't exist already? Great idea ;-).

(*): See another mail of me in this thread why assume this.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011