[Mageia-dev] Signature verification of sources
Dan Fandrich
dan at coneharvesters.com
Tue Jan 10 20:09:51 CET 2012
On Tue, Jan 10, 2012 at 08:00:35PM +0100, Johnny A. Solbu wrote:
> I think this is a good initiative.
> Does other distros do this?
> Perhaps we can ask other distros to start doing the same, and thus give upstream developers a reason for signing.
I believe at least some source-based distros (e.g. Gentoo) do this since
there's no other means to ensure that the end user isn't downloading and
compiling compromised source. It's not really necessary with RPM as
the spec file creator can verify the source manually (using GPG or other
means) before packaging it into an SRPM signed by his key. But, chances
are that manual step is not happening now so making it automatic isn't
a bad idea.
>>> Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 288 bytes
Desc: not available
URL: </pipermail/mageia-dev/attachments/20120110/3a12f314/attachment.asc>
More information about the Mageia-dev
mailing list