Time to resurrect multi-key signatures in RPM?

[Bojan Smojver]

Les Mikesell <lesmikesell <at> gmail.com> writes:

> Is one significantly harder than the other? If it goes unnoticed the end 
> result could be the same.

This depends on many factors and it has no simple answer. Packagers usually rely
on checksums and signatures of upstream source before uploading to Fedora CVS
(or so I hope :-). But, there is always a possibility that this can be
compromised, of course.

The result is, however, not the same. Compromise of Fedora build system and/or
key can compromise all packages in Fedora. Compromise of a single package cannot
(generally speaking - there are exceptions).

In any event, just because one security measure doesn't help with every possible
compromise, doesn't mean it doesn't help at all.

> I'm not proposing an intentional trojan source submission, but a 
> compromise that modifies it in an unexpected way. I'd think if you go to 
> the trouble to compare builds you'd also want an end-to-end validity 
> check on the input to be sure it wasn't compromised either at the source 
> or in transit.

See above. But yeah, we may have signatories sign off on source RPMs first,
before they are being built by alternative, independent build systems. It's a
valid point.

The main idea remains the same: "You can fool some of the people all of the
time, and all of the people some of the time, but you can not fool all of the
people all of the time."

--
Bojan