+1 for the need. I think we should give md5 or similar hashes, and let distro's do the signing. Sent from my Android phone. Please ignore typos. -----Original Message----- From: David =?UTF-8?Q?Ja=C5=A1a?= [djasa@redhat.com] Received: Thursday, 26 Jan 2012, 15:33 To: board@ovirt.org Subject: package signing Hi, at least nightly fedora repo is not signed (i didn't look at the other ones but I suspect that all other repos are also unsigned). We should establish package signing infrastructure and we should also publish signing key fingerprint on SSL/TLS-secured page to prevent any MITM attack aimed on ovirt repo users. David -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Board mailing list Board@ovirt.org http://lists.ovirt.org/mailman/listinfo/board Sent from my Android phone. Please ignore typos.