Should Fedora rpms be signed?
Jeff Spaleta
jspaleta at gmail.com
Mon Nov 1 22:04:59 UTC 2004
On Mon, 1 Nov 2004 14:51:34 -0600 (CST), Satish Balay <balay at fastmail.fm> wrote:
> And as Matias already pointed out - lets not mix QA perception with
> 'signature'.
I'm not.. i havent talked about QA at all. I'm talking about "trust"
as defined in mature pgp/gpg implementations. Would you like
references that talk about the trust metric inherent in something like gnupg?
I'm saying that comparing packaging signing as implemented inside the
rpm to general purpose gpg signing using gnupg is a somewhat apples to
oranges discussion, and that the principles associated with general
purpose gpg usage using an implementation like gnupg can not be mapped
over to rpm's signing implementation without acknowledgment that rpm's
lack of that inherent "trust" metric has greatly impacted what rpm
package signing has meant historically. Changing the meaning now,
simply by changing documentation isn't good enough for me. I believe
the web-of-trust concept is a vital part of a full gpg implementation,
and that historically the lack of a web-of-trust metric has meant that
signed packages have been used both for shallow verification and as an
inherent measure of "trust". Once there is an inherent "trust" metric
respect of signed keys inside rpm, many of my concerns would be
addressed. I encourage you to read up on how gnupg( aka gpg)
calculates its trust database.... it has nothing to do with QA.
-jef
More information about the fedora-test-list
mailing list