On Fri, Feb 27, 2009 at 01:47:10PM -0800, Adam Williamson wrote:
On Fri, 2009-02-27 at 16:30 -0500, Jon Masters wrote:
Hmm. As far as I can see, signing Rawhide packages would still have value, in that it would prove that the package was created either by an approved maintainer of that package or by a Proven Packager, and was properly built through the official build system (it should, anyway, if the signing process is properly situated at the end of the above process and can't be accessed in any other way).
Yeah, still doesn't protect against the guy who introduces a new package today that includes an updated configuration for my VPN client, or my email client, or a host of other stuff I might be using and rely upon.
Sure. I didn't say it does. That doesn't make it useless. :)
(On a practical level, neither do F9 or F10, since maintainers can at present push packages directly to the official updates repository with no oversight, AFAIK).
I could just stop pushing updates if it would make everyone feel safer.
josh