Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Thu Nov 4 21:48:05 UTC 2004
On Thu, 4 Nov 2004, Peter Jones wrote:
> It's true to our tools, and I think it's true in the eyes of our users.
> I'm not the only one who's stated this impression, either. Jef put it
> pretty well the other day talking to Satish:
>
> > On Mon, 1 Nov 2004 12:58:22 -0600 (CST), Satish Balay
> > <balay at fastmail.fm> wrote:
> > > No confusion here either - as rawhide packages are never mistaken
> > > for erratum packages.
> >
> > really? noone ever mistakes a package from rawhide as a consumable
> > package? really? no one ever does a random search for a package
> > from an online rpm warehouse and finds a package meant as a piece
> > of rawhide and not as a consumable update? really? no one ever
> > takes packages from the rawhide tree and mixes them with updates
> > and creates a homebrew repository that other users will be using?
>
> There is no part of which key was being used that carries any data about
> what the signature means, and this is a very significant problem. Why
> isn't this point clear?
I guess I have to answer this question aswell. The following is in
context with signed/unsigned rawhide packages (not random things users
can do)
******
Jeff (& I guess you) are assuming the following:
- user always does the following on an RHEL box:
rpm --import REDHAT-KEY
rpm --import RAWHIDE-KEY
And always uses 'yum' with gpgcheck'
Thus unsigned rawhide-packages saved the day.
But but they will NEVER do the following:
- remove the 'gpgcheck' flag in yum.conf - and install pacakges from
rawhide on RHEL
- wget 'randomly searched' rpm' and install it with 'rpm -ivh foobar.rpm' on an RHEL box.
*******
My contention is:
- The second part is not fixable - so that problem isn't being solved.
- if the user is dumb enough to do 'rpm -import RAWHIDE-KEY' on a RHEL
box - you can still have EXACT same protection (as your
unsigned-rawhide) - by coming up with a new key
'YOU-MUST-BE-CRAZY-TO-RPM-IMPORT-THIS-KEY.gpg' - and sign rawhide
with it.
********
And I'm not disputing the fact that a better infrastructure is requred
to distinguish keys automatically.
Satish
More information about the fedora-test-list
mailing list