[Mageia-dev] Signature verification of sources
Florian Hubold
doktor5000 at arcor.de
Tue Jan 10 22:59:14 CET 2012
Am 10.01.2012 20:09, schrieb Dan Fandrich:
> On Tue, Jan 10, 2012 at 08:00:35PM +0100, Johnny A. Solbu wrote:
>> I think this is a good initiative.
>> Does other distros do this?
>> Perhaps we can ask other distros to start doing the same, and thus give upstream developers a reason for signing.
> I believe at least some source-based distros (e.g. Gentoo) do this since
> there's no other means to ensure that the end user isn't downloading and
> compiling compromised source.
Well, even that didn't protect them from distributing backdoored unrealircd:
https://bugs.gentoo.org/show_bug.cgi?id=323691#c2
But in general it seems a good way to go. Always wondered why some SPECs
had .asc signatures defined in Source tags, but nothing used them.
> It's not really necessary with RPM as
> the spec file creator can verify the source manually (using GPG or other
> means) before packaging it into an SRPM signed by his key. But, chances
> are that manual step is not happening now so making it automatic isn't
> a bad idea.
>
>>>> Dan
More information about the Mageia-dev
mailing list