RE: package signing

Doron Fediuck dfediuck at redhat.com
Thu Jan 26 16:01:43 UTC 2012


+1 for the need.
I think we should give md5 or similar hashes, and let distro's do the signing.

Sent from my Android phone. Please ignore typos.

-----Original Message-----
From: David =?UTF-8?Q?Ja=C5=A1a?= [djasa at redhat.com]
Received: Thursday, 26 Jan 2012, 15:33
To: board at ovirt.org
Subject: package signing

Hi,

at least nightly fedora repo is not signed (i didn't look at the other
ones but I suspect that all other repos are also unsigned). We should
establish package signing infrastructure and we should also publish
signing key fingerprint on SSL/TLS-secured page to prevent any MITM
attack aimed on ovirt repo users.

David

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24



_______________________________________________
Board mailing list
Board at ovirt.org
http://lists.ovirt.org/mailman/listinfo/board


Sent from my Android phone. Please ignore typos.


More information about the Board mailing list