#6267: sign ostree commits
------------------------------+-----------------------
Reporter: walters | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 23 Final | Component: koji
Resolution: | Keywords:
Blocked By: | Blocking:
------------------------------+-----------------------
Comment (by ausil):
Replying to [comment:2 walters]:
Metalink and TLS is good, but it's not a direct replacement for
GPG.
For example:
- GPG is inherently "pinned", whereas the TLS default
allows all ca-
certs which allows a *lot* of organizations to MITM
- GPG is much easier to verify "offline"
As far as the manual step - I'd be fine with an automated process.
I guess I was not clear, we have no way to do any signing automatically.
The way the signing server works it is entirely manual
--
Ticket URL: <
https://fedorahosted.org/rel-eng/ticket/6267#comment:3>
Fedora Release Engineering <
http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project