Am 06.12.19 um 09:02 schrieb Lennart Poettering:
>
> Humm, so you turn off gpg verification of RPMs you install? Nah, you
> don't, because you put trust in Fedora that the RPMs they build are
> somewhat safe to use. That's what vendor trust means. Since regular
As the vendor supplies the checksums, what is your point?

GPG RPM verification is there to make sure, that the supplychain isn't
tampered, not if the base code matches the src someone posted on github.

As many fedora builds have "rh" patches added to them, a deep user
survey of sourceodes used would reveal major differences with the
original code. To name two prominent: Apache & Firefox.

In the end, yes we trust in Fedora Devs not include backdoors into the
software, but it has absolutely nothing to do, with homed only
encrypting userhomedirs, instead of the entire system. That way, the
integrity of the system can not be guaranteed and therefor it does not
matter much, if or if the homedir is encrypted.

best regards,
Marius


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to