FC3T2 up2date - <package> is not signed with a GPG signature

[Jeff Spaleta]

On Tue, 28 Sep 2004 11:20:50 +0200, Matias Feliciano
<feliciano.matias at free.fr> wrote:
> Fedora Core => signed sometimes.

Correction... the development tree..specifically has unsigned
packages..and that is an inherent "feature" of the development tree.
Signing takes finite time and involves a human to do it for it to have
any value whatsoever. There is a trade-off between pushing fixes out
for testing/feedback as quickly as possible and providing the added
benefit of signed packages. The development tree churns pretty fast.
There could easily be a daily update for some packages as bugs get
fixed (or refixed). The extra time and manpower to sign all the
packages could easily keep a package from being available by a whole
day or more.
Testing for the next full release is a time sensitive process..with
deadlines. Having to wait an extra day to make a new development
package avaliable basically cuts the amount of available community
testing time during the testing phase by half. Thats a pretty high
cost for the meager benefit of signing a package that is not
advertised to be secure or tested which might have a lifetime of
exactly 1 or 2 days if another update needs to be pushed.

Since the development tree is not advertised to be secure nor stable,
there is an argument to be made that in the development tree getting
packages publicly available as quickly as possible outweights the
benefit of signing packages. Since every person using the development
should NOT be using development packages in situations where security
and data integrety are a requirement. If you have a problem with using
unsigned packages on your testing box...don't use the unsigned
packages.

All packages part of full releases and updates to full releases and
even package as part of test releases get signatures. The lack of
signing is strictly a development branch issue.

-jef