On Mon, 1 Nov 2004, Jeff Spaleta wrote:
On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay balay@fastmail.fm wrote:
But unless you are saing: somehow the current non-gpg-signed packages are preventing such folks from doing the wrong things (listed above) - and 'gpg-singing' encourages them to do them - your text adds no substance to the discussion.
Fine ill repeat myself...again.
Yes... i firmly believe...that long term... as tools become more signature aware and tools become more demanding that signatures be present on consumable rpms, that signing throw away packages like rawhide packages encourages people to use those packages out of context, and encourages people to store individual rawhide packages for later use on other systems, instead of encouraging people to using a full rawhide collection.
I (as a clueless user) can do the same thing with unsigned packages. gpg doesn't encourage anything new to the clueless user.
We can argue about the techical definition of what gpg-signing means.
lets not
This is a matter of common peception as to what signing a package means, and what vendors has historically wanted people to think signing a package means... in the context of rpm's implementation of signing and not in the context of gnupg's or pgp's general purpose implementation. And I argue that historically... rpm package signing has meant more than "built on this host" and that many vendors including Red Hat have meant it to mean more than "built on this host." And i will argue that until rpm get support for the trust metric concept using signed keys, signing rawhide packages encourages people to "trust" rawhide packages. Where "trust" is a quantifiable measurement based on key signatures. -jef
- Here the assumption is: EVERONE's perception about gpg-signed rpms (or rawhide) is the same.
- And perception is no excuse for proper documentaion.
- There will always be wrong assumptions by users. This doesn't equate to not signing-rawhide-packages. [And documenting it]
And as Matias already pointed out - lets not mix QA perception with 'signature'.
Satish