On Tue, Jan 10, 2012 at 08:00:35PM +0100, Johnny A. Solbu wrote: > I think this is a good initiative. > Does other distros do this? > Perhaps we can ask other distros to start doing the same, and thus give > upstream developers a reason for signing.
I believe at least some source-based distros (e.g. Gentoo) do this since there's no other means to ensure that the end user isn't downloading and compiling compromised source. It's not really necessary with RPM as the spec file creator can verify the source manually (using GPG or other means) before packaging it into an SRPM signed by his key. But, chances are that manual step is not happening now so making it automatic isn't a bad idea. >>> Dan
pgp3hWV6x173T.pgp
Description: PGP signature
