Should Fedora rpms be signed?
Paul Iadonisi
pri.rhl3 at iadonisi.to
Fri Oct 29 18:06:17 UTC 2004
On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote:
> On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote:
[snip]
> > I see no downside. Since you do, can you provide more detail on what and
> > why?
>
> I see no downside in repo metadata signing either, it's a good thing
> actually. But it is not an argument on why packages shouldn't be signed
> individually.
Um...did I miss something? I didn't see anyone suggest *replacing*
package signing with repo metadata signing. It's just an added measure
to help ensure that what is on the mirrors is what is on the official
Red Hat repo. Granted, you still need yum or up2date to use that
information, but it's still a net gain. In particular for when some
packages don't get signed, which seems to be what this thread is about
(today, anyhow ;-)).
At least, I sure *hope* no one was suggesting foregoing package
signing. Cuz that would be bad. :-)
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets
More information about the test
mailing list