[Rpm-maint] [rpm-software-management/rpm] Can't use `--define "_gpg_name Foo"` any more (#153)
Jeff Johnson
notifications at github.com
Thu Jul 12 16:02:15 UTC 2018
I would also suggest that the current implementation which does not permit a single build-and-sign operation has a larger attack surface, permitting an unsigned package to be modified until signed.
I do not understand the reasoning that claims that a single build-and-sign command is deemed "insecure". Perhaps what is meant is that users were using secret keys with no passwords in automated builds to avoid having to supply the password for the secret key. But that is an "insecure" usage and not an "insecure" implementation.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/153#issuecomment-404563552
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180712/b97c685a/attachment.html>
More information about the Rpm-maint
mailing list