On 12/19/2009 11:03 AM, Christopher Brown wrote: > 2009/12/15 Adam Goode <a...@spicenitz.org>: >> On 12/13/2009 06:16 AM, Christopher Brown wrote: >>> 2009/12/11 Adam Goode <a...@spicenitz.org>: >>>> We should definitely use Debian's key, right? Otherwise some Fedora CLI >>>> libraries would be unnecessarily incompatible with Debian, and whoever >>>> else uses Debian's key. >>>> >>>> The whole business of not shipping code-signing keys is a little >>>> contrary to open source. I think this is something that GPLv3 would >>>> prohibit. We should use a single well-known signing key for any package >>>> that we don't have the keys for, I think. >>> >>> You're right. >>> >>> This has already been resolved in devel by added mono.snk to the >>> mono-devel package. I'm just waiting on commit access to make the >>> required changes to F-11 and F-12 unless someone else wants to do it. >>> >> >> It looks like spot generated a new mono.snk. I was arguing to use >> Debian's mono.snk, for cross-distro compatibility. Shouldn't everyone >> should use Debian's key unless a package provides its own? > > Ideally we (Fedora and Debian) should use a single key generated by > upstream but as this issue is only problematic due to cyclic dep > problems in the build process I think that using our own is enough. > Unfortunately I don't care enough to chase this issue further.
Yeah, I think there is very little merit in giving any amount of trust to that key, nor is there any real value in picking up mono bits built for Debian and putting them on Fedora and expecting them to work (or vice versa). ~spot -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
