Should Fedora rpms be signed?
seth vidal
skvidal at phy.duke.edu
Mon Nov 1 23:29:34 UTC 2004
> Update tool authors resist making signature checking configurable on a
> per-repo basis, which would alleviate the strain but reduce the overall
> utility of the tools.
I'm not sure I see why it reduces the utility of the tool. My reasoning
for it being done in yum:
1. it lets you use a repository out in the world that you trust the
packagers (and those who can sign packages) but you don't know what kind
of security the mirror you use has setup locally. So if their mirror
gets owned you don't have to worry about installing trojanned packages.
2. it lets you use a local repo that you trust completely. Arguably this
is dangerous but I think we've all at one point or another had an rpm
we've installed on a set of machines that we knew was good.
As you've said before, Peter, I think there needs to be something in
between.
rpm sigs tell you that this package is the same as the one that the
package provider put out there.
repository sigs should tell you that the metadata is the same as the
repository provider put out there.
nothing more.
-sv
More information about the fedora-test-list
mailing list