warning to list

[Paul Iadonisi]

On Mon, 2004-10-25 at 13:42, Matias Féliciano wrote:

[snip]

> By not signing their rpm in rawhide, Red Hat "force" me to take risk
> (fake rpm, ...) for _nothing_. I don't want to take these risks.

  With this statement, along with Ian Pilcher's last post to this
thread, perhaps I should shut up about it, since, in essence, I'm in
violent agreement with both of you ;-).
  But, I tend to agree with what someone posted about packages signed
with keys that are not password protected being only marginally better
than packages not signed at all.
  I think it was actually in Bruce Schneier's Cryptogram that I read the
statement, paraphrased, that if it's worth protecting at all, then it's
worth having a password that must be typed (in reference to web server
certificates, but the principle is the same).
  So, since I haven't seen any proposals, yet, for how to make sure
packages are signed, without using password-less keys, how about this
idea: Have more than one signing key for *develpment packages only*,
named RPM-GPG-KEY-fedora-test-arjanv, RPM-GPG-KEY-fedora-test-alan,
RPM-GPG-KEY-test-davej, etc, etc.  Give it enough spread across Red Hat
to give better odds that at least one of the signers will always be
available.  Shot in the dark: maybe five signers?  Rotate signing
responsibility on a weekly basis, maybe?  This maybe a good prep for
allowing more community participation as well, giving a few outsiders
signing rights with a public key in /usr/share/rhn.  That's the hope,
anyhow, since I suspect it may be a problem for Red Hat to give internal
Red Hat folks *more* responsibility in regards to Fedora Core.
  Anyhow, I figured I just throw that out there as idea just off the top
of my head.
  Thoughts?
--
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets