Re: Package XYZ is not signed
On So Oktober 28 2007, Andrew Farris wrote:
prevent that either (in rawhide). Testing rawhide isn't for
boxes with
corporate sensitive data...
This seems not to be common knowledge, because afaik even Fedora Maintainers
use Rawhide on a system, where they create new packages.
Actually signing the package from the build system would change very
little
other than insure that the mirror you're downloading from did not bring in
a new package that doesn't belong.
Imho it is a big benefit, because it is very easy for a mirror maintainer to
change a package. Also someone who breaks into a mirror can easily cause
heavy damage. And last but not least, the manipulation of the package can
also happen on the connection to the mirror, e.g. on conferences with
free/open wifi/internet access.
Regards,
Till
Attachments:
- signature.asc (application/pgp-signature — 827 bytes)