Am 06.12.19 um 09:02 schrieb Lennart Poettering: > > Humm, so you turn off gpg verification of RPMs you install? Nah, you > don't, because you put trust in Fedora that the RPMs they build are > somewhat safe to use. That's what vendor trust means. Since regular
As the vendor supplies the checksums, what is your point? GPG RPM verification is there to make sure, that the supplychain isn't tampered, not if the base code matches the src someone posted on github. As many fedora builds have "rh" patches added to them, a deep user survey of sourceodes used would reveal major differences with the original code. To name two prominent: Apache & Firefox. In the end, yes we trust in Fedora Devs not include backdoors into the software, but it has absolutely nothing to do, with homed only encrypting userhomedirs, instead of the entire system. That way, the integrity of the system can not be guaranteed and therefor it does not matter much, if or if the homedir is encrypted. best regards, Marius _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
