On Tue, 2003-11-25 at 15:04, Axel Thimm wrote: > On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote: > > On Tue, 2003-11-25 at 05:12, Timothy Ha wrote: > > > Thank you! > > > > > > I still have some questions (not doubts): With thrilling stories like > > > someone break into Linux kernel source, how do you guarant the quality > > > of the repositories? Security updates, system tools and so on are there. > > > > > > Will Redhat be some guarantee to all these things? > > > > Not necessarily, but... > > > > The packages are all signed with GPG if they are officially part of the > > Fedora project. Your up2date/apt/yum should be configured to check these > > signatures before installing anything, and to scream "bloody-blue > > murder" if they are not correctly signed. > > Well, almost all non-redhat.com repos are GPG signing as well. GPG > signed packages with keys from the same originating site only ensures > that you get what the packager produced. The difference being that I > would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;) > > > You should be able to find the official keys and and explanation of > > their uses here: > > > > http://fedora.redhat.com/about/security/ > > Maybe RH could consider verifying some IDs of packagers/repos and sign > their keys (and vice versa, RH's key is not signed by any other key)? > That would be a good establishment to create a true web of trust. Oh, part of that is here: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x54A2ACF1 -- Chris Kloiber Red Hat, Inc.
