Am 10.01.2012 20:09, schrieb Dan Fandrich: > On Tue, Jan 10, 2012 at 08:00:35PM +0100, Johnny A. Solbu wrote: >> I think this is a good initiative. >> Does other distros do this? >> Perhaps we can ask other distros to start doing the same, and thus give >> upstream developers a reason for signing. > I believe at least some source-based distros (e.g. Gentoo) do this since > there's no other means to ensure that the end user isn't downloading and > compiling compromised source. Well, even that didn't protect them from distributing backdoored unrealircd: https://bugs.gentoo.org/show_bug.cgi?id=323691#c2 But in general it seems a good way to go. Always wondered why some SPECs had .asc signatures defined in Source tags, but nothing used them.
> It's not really necessary with RPM as > the spec file creator can verify the source manually (using GPG or other > means) before packaging it into an SRPM signed by his key. But, chances > are that manual step is not happening now so making it automatic isn't > a bad idea. > >>>> Dan
