Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
If you keep an eye on where your packages are coming from, even for
rawhide,
then you can be sure that only authorized maintainers have put them into the
system (control which mirrors you're pulling them from). Actually signing the
package from the build system would change very little other than insure that
the mirror you're downloading from did not bring in a new package that doesn't
belong.
It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.
So as it stands, you have to extend trust to the maintainers, and the mirror.
You can pick which mirror you trust.