Should Fedora rpms be signed?

Satish Balay balay at fastmail.fm
Thu Nov 4 21:48:05 UTC 2004 

On Thu, 4 Nov 2004, Peter Jones wrote:

> It's true to our tools, and I think it's true in the eyes of our users.
> I'm not the only one who's stated this impression, either.  Jef put it
> pretty well the other day talking to Satish:
> 
> > On Mon, 1 Nov 2004 12:58:22 -0600 (CST), Satish Balay
> > <balay at fastmail.fm> wrote:
> > > No confusion here either - as rawhide packages are never mistaken 
> > > for erratum packages.
> > 
> > really? noone ever mistakes a package from rawhide as a consumable
> > package?  really? no one ever does a random search for a package
> > from an online rpm warehouse and finds a package meant as a piece
> > of rawhide and not as a consumable update?  really? no one ever
> > takes packages from the rawhide tree and mixes them with updates
> > and creates a homebrew repository that other users will be using?
> 
> There is no part of which key was being used that carries any data about
> what the signature means, and this is a very significant problem.  Why
> isn't this point clear?  

I guess I have to answer this question aswell. The following is in
context with signed/unsigned rawhide packages (not random things users
can do)

******

Jeff (& I guess you) are assuming the following:

- user always does the following on an RHEL box:

rpm --import REDHAT-KEY
rpm --import RAWHIDE-KEY
And always uses 'yum' with gpgcheck'

Thus unsigned rawhide-packages saved the day. 

But but they will NEVER do the following:

- remove the 'gpgcheck' flag in yum.conf - and install pacakges from
  rawhide on RHEL
- wget 'randomly searched' rpm' and install it with 'rpm -ivh foobar.rpm' on an RHEL box.


*******

My contention is: 

- The second part is not fixable - so that problem isn't being solved.

- if the user is dumb enough to do 'rpm -import RAWHIDE-KEY' on a RHEL
  box - you can still have EXACT same protection (as your
  unsigned-rawhide) - by coming up with a new key
  'YOU-MUST-BE-CRAZY-TO-RPM-IMPORT-THIS-KEY.gpg' - and sign rawhide
  with it.

********

And I'm not disputing the fact that a better infrastructure is requred
to distinguish keys automatically.

Satish

More information about the fedora-test-list mailing list