Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata:
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> If you keep an eye on where your packages are coming from, even for rawhide,
> then you can be sure that only authorized maintainers have put them into the
> system (control which mirrors you're pulling them from). Actually signing the
> package from the build system would change very little other than insure that
> the mirror you're downloading from did not bring in a new package that
doesn't
> belong.
It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.
Oh, you don't work for Red Hat. Sorry. But your statement is still
completely off the field.
>
> So as it stands, you have to extend trust to the maintainers, and the mirror.
> You can pick which mirror you trust.
>