Your example assumes the user will not be able to ensure a specific signature
is in the rpm, but @pmatilai in his list added explicitly the ability for rpm
-qi to list signatures, so the user can verify that a signature that purports
to be from a vendor exists, and you can verify the signature via he usual
methods.
Teh reproducible stuff is about being able to reproduce the payload, and that
is unchanged, as the signature is applied after an rpm is built and is not part
of the payload. So you can definitely reproduce the build and check that the
signature on the original rpm does in fact still validate (if the payload is
identical).
On the embedding we will simply disagree.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2420325399
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3385/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
