RPM security (a newbie question)
Rahul Sundaram
sundaram at fedoraproject.org
Thu Apr 2 11:10:04 UTC 2009
Stanisław T. Findeisen wrote:
> Really? Have you seen a list telling you who reviewed which package
> before it got signed with Fedora key?
>
> Probably there are lots of packages reviewed by their authors only?
Review and signing are two different processes. Every single new package
has to go through a review process as outlined in
http://fedoraproject.org/wiki/Packaging/ReviewGuidelines
Signing a package is done by a small number of people in the release
engineering team and they do that manually before pushing it into the
repositories.
Rahul
More information about the users
mailing list