Bill Davidsen: >> Suggestion: since the livna key is still secure (AFAIK) let them >> distribute the new Fedora key and sign the RPM. Kevin Fenzi: > That was suggested before, but it's not a great solution for several > reasons: Not everyone has livna enabled. Having one repo publish keys > for another seems wrong, especially when they are not officially > connected. I'm not sure whether *also* having the keys on other sites is so bad. If you take it like the GPG model - countersigning and cross-checking through other sources that you also trust. If Livna, ATRPMs, and a few other usual repos had the same Fedora public key, you'd be more confident that the key you got from what you think is a real Fedora mirror, is the right one. -- [tim@localhost ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
