Zbigniew Jędrzejewski-Szmek wrote: > I don't buy that reasoning. You sign stuff to prevent silent > modification (because of malice or corruption), and not to track > changes, we have better mechanisms for that.
Signing is much more than an integrity proof for which hash values would suffice.The fact that some upstream sign their code (in particular when the code is security critical) means that they're willing to take responsifility for the code in the form "they signed it off". It is sometimes very easy to ruin a secure system by modifying it (with a patch or some code in the spec file doesn't matter). That's why I thought it might make sense for the packager to take responsibility for his modifications by signing them. The changelog don't really reflect the modifications in enough detail. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
