On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote: > On Tue, 2003-11-25 at 05:12, Timothy Ha wrote: > > Thank you! > > > > I still have some questions (not doubts): With thrilling stories like > > someone break into Linux kernel source, how do you guarant the quality > > of the repositories? Security updates, system tools and so on are there. > > > > Will Redhat be some guarantee to all these things? > > Not necessarily, but... > > The packages are all signed with GPG if they are officially part of the > Fedora project. Your up2date/apt/yum should be configured to check these > signatures before installing anything, and to scream "bloody-blue > murder" if they are not correctly signed. Well, almost all non-redhat.com repos are GPG signing as well. GPG signed packages with keys from the same originating site only ensures that you get what the packager produced. The difference being that I would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;) > You should be able to find the official keys and and explanation of > their uses here: > > http://fedora.redhat.com/about/security/ Maybe RH could consider verifying some IDs of packagers/repos and sign their keys (and vice versa, RH's key is not signed by any other key)? That would be a good establishment to create a true web of trust. -- Axel.Thimm@xxxxxxxxxxxxxxxxxxx
Attachment:
pgpB1otxOXWZO.pgp
Description: PGP signature
