Proposal: Discourage rpmbuild --sign
Warren Togami
warren at togami.com
Wed Dec 31 21:25:56 UTC 2003
Willem Riede wrote:
> On 2003.12.31 12:24, Rui Miguel Seabra wrote:
>
>>On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
>>
>>
>>>People don't build src.rpms for fun. They build them to install the built
>>>packages as root (!) and then to use them from within their normal user
>>>account.
>>
>>He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'
>>
>>The problem is well explained, and only who doesn't believe a trojan
>>could be inject in apparently good source code (ie, downloaded from
>>sf.net, for instance -- ever heard of dns spoofs?) doesn't understand.
>>
>>When I build RPMS for AbiWord, I build the RPMS with a specific user for
>>rpmbuilding, and sign the rpms afterward with my key, on my account.
>
>
> While that is a good practice, is it sufficient? How do you know that the
> package you just attached your reputation to (by signing with your key)
> isn't going to trash or take over the system of any user that installs it?
You do not. But you do not need to build and install the package on the
same machine. In fact, it is STUPID to test packages that you have
built on the same host as your signing key, especially if you are a
popular 3rd party packager with thousands of users.
Warren
More information about the fedora-devel-list
mailing list