Hi, I saw that this issue has been raised before for staging packages, but I'm wanting to bring to the attention of the relevant people/person that the LATEST Gluster stable packages are also not signed. There are no contact details within the package headers (see below), so I can't simply email the package maintainer. In any case, there can be zero trust placed in these packages. There is a GPG key assigned to the repo. Why not use it?
# rpm -qpi /var/www/html/repo/gluster-epel-5-x86_64/glusterfs-fuse-3.4.2-1.e l5.x86_64.rpm Name : glusterfs-fuse Relocations: (not relocatable) Version : 3.4.2 Vendor: Fedora Project Release : 1.el5 Build Date: Fri 03 Jan 2014 10:39:14 PM EST Install Date: (not installed) Build Host: buildvm-26.phx2.fedorapr oject.org Group : Applications/File Source RPM: glusterfs-3.4.2-1.el5.sr c.rpm Size : 225484 License: GPLv2 or LGPLv3+ Signature : (none) Packager : Fedora Project URL : http://www.gluster.org/docs/index.php/GlusterFS Summary : Fuse client Description : Regards, Grant
_______________________________________________ Gluster-users mailing list [email protected] http://supercolony.gluster.org/mailman/listinfo/gluster-users
