Questions about package signing
Arch have only recently adopted package signing to pacman, and while Gentoo have had package signing for some time (I understand), many package developers don't bother to sign their packages.
My questions are, for a desktop user like me who's only looking to learn more stuff about Linux and not fill my drive with countless programs:
|
IMHO package signing has nothing to do with what purpose you use Linux for. Signing is an assurance the package you use has been approved for release (accountability) by a certain publisher (reputation) and has not been tampered with (integrity). Partial package signing obviously doesn't prove anything wrt unsigned components but at least it's not as worthless as relying on package hashes. That doesn't prove or guarantee anything at all. In terms of accountability and integrity verification it indeed would be the best if every package gets signed.
|
All times are GMT -5. The time now is 02:39 PM. |