Should Fedora rpms be signed?
Rodolfo J. Paiz
rpaiz at simpaticus.com
Fri Oct 29 22:33:57 UTC 2004
On Fri, 2004-10-29 at 22:56 +0200, Matias Féliciano wrote:
> But I don't think it's easer to sign a repository than all the packages.
>
> For signing a repository, one command line would be used [...]
> For signing all packages, one command line would be used [...]
>
> If Red Hat can use one of these methods, they can easily do both (It's
> seems).
Your logic is seriously flawed. The repository is created once, and
updated on a specific and regular schedule. The entire repository
metadata is signed at one time and in a predictable fashion.
Precisely the problem which has been pointed out about signing every
package is that there is no one around at the particular time when a few
packages are finally ready, and it is those that do not get signed. But
all packages are finished at different times, so it is impractical to
suggest that all packages can be signed together with a single command.
Cheers,
--
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041029/84babf08/attachment.bin
More information about the test
mailing list