On Tue, Oct 26, 2004 at 04:03:46PM -0600, Rodolfo J. Paiz wrote:
His point was that if the package is not signed, then it is easier
for
someone to substitute a trojan package on a mirror server. He's arguing
that signing packages would add one level of useful security (or "trust"
if you will, in that at least you would know that the package you
downloaded had been built at Red Hat or by the Fedora Project.
The question is what should it be signed by I guess. Red Hat don't trust or
warrant rawhide packages.