Proposal: Discourage rpmbuild --sign

Warren Togami warren at togami.com
Wed Dec 31 22:01:37 UTC 2003 

Willem Riede wrote:
> 
> Thank you. Which brings me to my point. The original proposals to refuse
> to build as root and to discourage using --sign are in and of themselves
> inadequate. Novices that would rely on them would have a false sense of 
> security. The only thing that works is properly educated users that use
> precautions that are appropriate for the task at hand. 
> 
> Forcing a specific partial policy on all users is not what I want to see.
> 

Two laws of users:
1) Users almost never read documentation.
2) Given multiple paths, users will generally take the laziest path.

Given the above, I suggest a simple risk mitigating change:
"Software should discourage insecure practices by default."

For example look at xchat.  It warns you that running it as root is bad. 
      When I was a newbie that was very valuable in my learning how to 
reduce risk.

I do not buy the "false sense of security" argument because that can be 
said of ANY precaution.  That does not however make "smart by default" 
policies bad to implement.  We have disabled services in a default 
install.  We do not run everything as root like Lindows.  Some things 
are just SMART.  My two proposals are not only smart defaults, but 
relatively inobtrusive and easy to teach proper methods.

I also do not buy the "let users hang themselves because this is Unix" 
argument.  There is simply NO REASON to let blank BuildRoot happen, and 
you cannot argue that building as root is good for package development 
and upstream Makefile quality.

Regarding rpmbuild --sign, it is true that you should be able to do 
stupid things if you truly want to.  This however does not give you the 
right to hang all of your users too, especially for a stupid reason like 
not taking a simple precaution and your GPG key is stolen.

How about this compromise:
Rather than disable rpmbuild as root or rpmbuild --sign, it should
1) Big warning message with URL to learn more.
2) Delay for 30 seconds.
3) Perhaps have a hidden config option to disable the warning & delay 
for users who want to hang themselves.  This option could be 
'%stupidbehavior yes'.

In any case, this is the leadership's decision.  My overall goal was to 
stir discussion and educate, which is quite effective when emotions are 
evoked. =)

Warren Togami
warren at togami.com

More information about the fedora-devel-list mailing list