We currently trust the RPMs provided on the mockbuild repos to be valid. They're not directly modifiable by anyone but us, but as a backstop against accidental modification (e.g., by accidental disclosure of S3 credentials), we should additionally sign the packages and verify those signatures on every install.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
Component: General Automation → General
Product: Release Engineering → Release Engineering
You need to log in before you can comment on or make changes to this bug.