FESCo Meeting Summary for 2008-08-20

[Richard Hughes]

On Wed, 2008-08-27 at 20:22 -0400, Brian Pepple wrote:
> === Signing and Pushing New Keys ===
> * Long discussion on how to handle the package key migration for users.
> FESCo ended up approving Warren's proposal, which can be found here:
> http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001622.html
> * NOTE: Once this is implemented we can start issuing updates again,
> which I think is what most people are interested in hearing about.

Might have been nice for someone to ping me if you guys were talking
about PackageKit.

> > wwoodsf13: yeah, it's weaksauce, but you remember the failure
> > condition for PK was *SO BAD* that we added last-minute horrible
> > hacks to anaconda over jeremy's (valid) objections

I guess by hacks you meant that I wanted anaconda to auto-import the
fedora signing key at install time.

To be blunt, if the media is compromised, then unsigned updates are the
_last_ of your problems -- think what would happen if a compromised
kernel or sshd was installed - a remote exploit without even installing
a single update.

The only way you can guarantee the authenticity of the media is to post
it's sha1sum in a well known place that we test the image against -
which is basically what we do now.

Asking the user to agree that key abcdef12345 corresponds to the fedora
project at first boot is just security through obscurity. Ubuntu and
other distributions don't make you do this.

> > dgilmore: pk is an ugly mess

I assume you filed bugs, or were you just interested in mud-throwing? I
would prefer if you talked to me about any issues or concerns you had --
comments like that really do not show professionalism.

Thanks.

Richard.