Fedora Users — Do you trust the source of the packages?

Do you trust the source of the packages?

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

Subject: Do you trust the source of the packages?

From: brian <fedora@xxxxxxx>

Date: Wed, 15 Jul 2009 14:03:36 -0400

Reply-to: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2

I just tried to run software update again and got the following msg:

-- snip --
Do you trust the source of the packages?

Repository name: updates
Signature URL: /etc/pki/rpm/-gpg/RPM-GPG-KEY-fedora-i386
Signature user identifier: Fedora(11) <fedora@xxxxxxxxxxxxxxxxx>
Signature identifier: D22E77F2
Package: xfsprogs-3.0.1-6.fc11

Do you recognise the user and trust the key?
-- snip --

Well, yes, I recognise that. But how can I know to trust it? I see theemail address is at fedoraproject.org but I have no idea how tointerpret the "Signature identifier" nor whether updates can be spoofed.I'm not being paranoid--I figure this may have something to do with therecent updates issue and it's probably fine. I'm just curious aboutthis. What criteria should I use to decide whether or not to accept this?

Also, why in heck can't I select & copy text in this kind of messagedialogue? Booooo!


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines