Le jeudi 28 octobre 2004 à 15:01 -0400, Jeff Spaleta a écrit :
On Thu, 28 Oct 2004 19:38:02 +0200, Matias Féliciano feliciano.matias@free.fr wrote:
???? "createrepo --addsign ...." is better than "rpm --addsign *.rpm" ? Why ?
Then there's no misplaced trust on the package, as you'd get by signing it, but there is verification that it is the right package.
???? You mean I should not trust the right package ?
Rawhide packages...by there very nature shouldn't be trusted.
Rawhide packages should be trusted as rawhide package. Without signature, what seems to be Rawhide package can be anything.
Rawhide packages may in no unspecified order: eat your children pollute your network eat your children destroy your data eat your chidren
The problem here is interpretation of what signing a package is meant to mean. You really really really want it to be used for something new, to imply a level of trust intermediate of what its beeen traditionally used for and no signing at all. The LOSS, in this case, is confusion as to what it means when a package is signed.
signed package, mean signed package. Go to the gnupg documentation if you want to learn more : http://www.gnupg.org/documentation/index.html
(snip)