Should Fedora rpms be signed?

Jeff Spaleta jspaleta at gmail.com
Fri Oct 29 14:08:56 UTC 2004


On Fri, 29 Oct 2004 15:36:47 +0200, Nils Philippsen <nphilipp at redhat.com> wrote:
> This still forces me to use special tools like up2date and yum to access
> the packages if I want to verify their origins.

actually...no.

you can grab the signed metadata with the md5sums, check the sig on that.
and then do a md5sum check comparing the md5sum values in the metadata
and the package. You can do the md5sum check by hand. This isn't much
different than the situation with the isos.  How do you verify you are
using the correct isos? you check the md5sums against an md5sum list.
How do you check the validity of the md5sum list?
You check the md5sum list signature. 

You might argue it would be a good idea if there was a signed flat
md5sum list for all packages as well as the xml metadata, so the
md5sum command could use it. And then I'll tell you, you need to
accept the inevitable future of xml for all possible human
communication adopted by unanimous United Nations resolution, and you
should fix md5sum to parse xml structure files for md5sum sigs :->

And I really really really don't want to encourage people to use
rawhide packages randomly from something like an online rpm warehouse.
I don't want misinformed people, being able to pick up an individual 
rawhide package, see that its signed, and use the fact that there is a
verifable signature as an easy excuse to assume its totally okay to
install. This sort of crap happens a lot with unsigned rawhide, and I
don't want people who misunderstand what a signature really means to
feel more comfortable installing rawhide packages when they should not
be.  There is a gap between, the technical definition of what signing
a package means, and common perception of what a signed package means.
 My concerns is not for people like yourself, who understand that a
rawhide key doesnt mean anything beyond 'this package was built on the
automated rawhide build system."  My concern is for the people, the
much larger group of people, who will misinterpret the level of trust
associated with ANY key and will be that much more inclined to install
a random rawhide package they happen to find outside of a rawhide
mirror, without thinking about it at all.  It doesn't help that as of
now rpm key importation can't handle signed keys, and thus
web-of-trust metrics can't be used natively to produce a metric of
trust of keys.  How do you implement verification for those people who
understand what it means, without giving a false sense of security and
trust for those people who are misinformed about the process who end
up using the rawhide packages out of their original context?  I say
you sign the metadata and have the informed people use the package
metadata for verification.

Can rawhide packages be automatically signed... of course
Does autosigning help the intended, well informed, audience of the
rawhide packages... yes
Does autosigning hurt the unintended, un-informed or mis-informed
audience... i think it does.

-jef




More information about the fedora-test-list mailing list