Should Fedora rpms be signed?

Satish Balay balay at fastmail.fm
Mon Nov 1 20:51:34 UTC 2004 


On Mon, 1 Nov 2004, Jeff Spaleta wrote:

> On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay <balay at fastmail.fm> wrote:
> > But unless you are saing: somehow the current non-gpg-signed packages
> > are preventing such folks from doing the wrong things (listed above) -
> > and 'gpg-singing' encourages them to do them - your text adds no
> > substance to the discussion.
> 
> Fine ill repeat myself...again.
> 
> Yes... i firmly believe...that long term... as tools become more
> signature aware and tools become more demanding that signatures be
> present on consumable rpms, that signing throw away packages like
> rawhide packages encourages people to use those packages out of
> context, and encourages people to store individual rawhide packages
> for later use on other systems, instead of encouraging people to using
> a full rawhide collection.

I (as a clueless user) can do the same thing with unsigned
packages. gpg doesn't encourage anything new to the clueless user.

> 
> We can argue about the techical definition of what gpg-signing
> means.

lets not

> This is a matter of common peception as to what signing a package
> means, and what vendors has historically wanted people to think
> signing a package means... in the context of rpm's implementation of
> signing and not in the context of gnupg's or pgp's general purpose
> implementation.  And I argue that historically... rpm package
> signing has meant more than "built on this host" and that many
> vendors including Red Hat have meant it to mean more than "built on
> this host."  And i will argue that until rpm get support for the
> trust metric concept using signed keys, signing rawhide packages
> encourages people to "trust" rawhide packages. Where "trust" is a
> quantifiable measurement based on key signatures.  -jef

- Here the assumption is: EVERONE's perception about gpg-signed rpms
(or rawhide) is the same.

- And perception is no excuse for proper documentaion. 

- There will always be wrong assumptions by users. This doesn't equate
to not signing-rawhide-packages. [And documenting it]

And as Matias already pointed out - lets not mix QA perception with
'signature'.

Satish

More information about the fedora-test-list mailing list