Tim wrote:
Bill Davidsen:
Suggestion: since the livna key is still secure (AFAIK) let them
distribute the new Fedora key and sign the RPM.
Kevin Fenzi:
That was suggested before, but it's not a great solution for several
reasons: Not everyone has livna enabled. Having one repo publish keys
for another seems wrong, especially when they are not officially
connected.
I'm not sure whether *also* having the keys on other sites is so bad.
I give up, politics as usual. If a proposed solution isn't perfect it
isn't good enough, so trust us.
If you take it like the GPG model - countersigning and cross-checking
through other sources that you also trust. If Livna, ATRPMs, and a few
other usual repos had the same Fedora public key, you'd be more
confident that the key you got from what you think is a real Fedora
mirror, is the right one.
Well said. Common sense. The political answer is "wait until new
improved RPM comes out."
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines