Package XYZ is not signed
Andrew Farris
mailings at lordmorgul.net
Sun Oct 28 20:40:25 UTC 2007
nodata wrote:
> Am Donnerstag, den 25.10.2007, 22:51 -0400 schrieb Will Woods:
>> This has been discussed a bunch of times already. Rawhide packages
>> aren't signed. This is intentional.
>
> That's nice. So I'll stop testing rawhide now because I don't know where
> the packages are from. Conveniently jumping off and on the security
> bandwagon at different stages in the release is a bit churlish.
>
> It only takes one malicious unsigned package to be installed for the box
> to be compromised, and nothing will protect against that.
>
> Come on though, we have auto-signing now, what was the killer reason for
> unsigned rpms?
>
A malicious package that gets placed into the system by a maintainer would come
flying down into your system 'signed' by an autosign process too... and you'd
happily not notice. That maintainer would pretty soon get reprimanded and the
packages cleaned up, but really nothing is in place to prevent that either (in
rawhide). Testing rawhide isn't for boxes with corporate sensitive data...
If you keep an eye on where your packages are coming from, even for rawhide,
then you can be sure that only authorized maintainers have put them into the
system (control which mirrors you're pulling them from). Actually signing the
package from the build system would change very little other than insure that
the mirror you're downloading from did not bring in a new package that doesn't
belong.
So as it stands, you have to extend trust to the maintainers, and the mirror.
You can pick which mirror you trust.
More information about the fedora-devel-list
mailing list