Nils Philippsen wrote:
[...snip...]
I still don't see how signing a package makes it more trustworthy than signing the repo metadata. Signing a package gives me some amount of trust in its origin, not its quality or whatever.
Jumping into this discussion face first... As you said, signing a package gives you some amount of trust in its origin. The trust in its quality is derived from the reputation of the origin, i.e. I would "trust" the quality of a package signed by RedHat before I would "trust" the quality of a package signed by Joe Schmo from xyz. But that "trust" in the RedHat quality would probably be damaged if they were to "sign" pre-release (rawhide) packages. So, releases should be signed, tests should not.
As far as signing packages vs. signing meta-data... Digital signatures are like real signatures, you want to make sure they are actually attached to what you are signing. If there is a chance that package that the signed meta-data represents can be changed without invalidating the signature, then you've lost the authentication power of the signature. In the non-digital world, you sign each page of a contract, not a seperate blank page attached to the contract. Signing a blank page is meaningless...
Okay, back to lurking in the dark shadows...
John
Nils