Re: Proposal: Discourage rpmbuild --sign

[Willem Riede <wrrhdev riede org>]

On 2003.12.31 12:24, Rui Miguel Seabra wrote:
> On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
> 
> > People don't build src.rpms for fun. They build them to install the built
> > packages as root (!) and then to use them from within their normal user
> > account.
> 
> He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'
> 
> The problem is well explained, and only who doesn't believe a trojan
> could be inject in apparently good source code (ie, downloaded from
> sf.net, for instance -- ever heard of dns spoofs?) doesn't understand.
> 
> When I build RPMS for AbiWord, I build the RPMS with a specific user for
> rpmbuilding, and sign the rpms afterward with my key, on my account.

While that is a good practice, is it sufficient? How do you know that the 
package you just attached your reputation to (by signing with your key)
isn't going to trash or take over the system of any user that installs it?

Just because it didn't do that when you installed the package you just 
built may only mean that the trojan's programmer coded a test to not trash
the host on which it is built so it has a better chance to propagate.

And how does knowing that the package is safe to install by your users
differ from the knowledge needed to be confident that building the package
in the first place (irrespective whether that's as root or the key owner)
will not end in disaster?

Thanks, willem Riede.