[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Proposal: Discourage rpmbuild --sign

From: Warren Togami <warren togami com>
To: fedora-devel-list redhat com
Subject: Re: Proposal: Discourage rpmbuild --sign
Date: Wed, 31 Dec 2003 11:25:56 -1000

Willem Riede wrote:

On 2003.12.31 12:24, Rui Miguel Seabra wrote:
On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
People don't build src.rpms for fun. They build them to install the built
packages as root (!) and then to use them from within their normal user
account.
He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'
The problem is well explained, and only who doesn't believe a trojan
could be inject in apparently good source code (ie, downloaded from
sf.net, for instance -- ever heard of dns spoofs?) doesn't understand.
When I build RPMS for AbiWord, I build the RPMS with a specific user for
rpmbuilding, and sign the rpms afterward with my key, on my account.
While that is a good practice, is it sufficient? How do you know that the package you just attached your reputation to (by signing with your key) isn't going to trash or take over the system of any user that installs it?

You do not. But you do not need to build and install the package on the same machine. In fact, it is STUPID to test packages that you have built on the same host as your signing key, especially if you are a popular 3rd party packager with thousands of users.

Warren

References:
- Proposal: Discourage rpmbuild --sign
  - From: Warren Togami
- Re: Proposal: Discourage rpmbuild --sign
  - From: Michael Schwendt
- Re: Proposal: Discourage rpmbuild --sign
  - From: Rui Miguel Seabra
- Re: Proposal: Discourage rpmbuild --sign
  - From: Willem Riede

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]