[Mageia-dev] Signature verification of sources

Tue Jan 10 22:59:14 CET 2012

Am 10.01.2012 20:09, schrieb Dan Fandrich:
+> On Tue, Jan 10, 2012 at 08:00:35PM +0100, Johnny A. Solbu wrote:
+>> I think this is a good initiative.
+>> Does other distros do this?
+>> Perhaps we can ask other distros to start doing the same, and thus give upstream developers a reason for signing.
+> I believe at least some source-based distros (e.g. Gentoo) do this since
+> there's no other means to ensure that the end user isn't downloading and
+> compiling compromised source.  
+Well, even that didn't protect them from distributing backdoored unrealircd:
+https://bugs.gentoo.org/show_bug.cgi?id=323691#c2
+But in general it seems a good way to go. Always wondered why some SPECs
+had .asc signatures defined in Source tags, but nothing used them.
+
+> It's not really necessary with RPM as
+> the spec file creator can verify the source manually (using GPG or other
+> means) before packaging it into an SRPM signed by his key. But, chances
+> are that manual step is not happening now so making it automatic isn't
+> a bad idea.
+>
+>>>> Dan
+
+