Should Fedora rpms be signed?

Nils Philippsen nphilipp at redhat.com
Fri Nov 5 17:00:18 UTC 2004 

On Thu, 2004-11-04 at 17:12 -0500, Peter Jones wrote:
> On Thu, 2004-11-04 at 11:33 +0100, Nils Philippsen wrote:
> > On Mon, 2004-11-01 at 18:50 -0500, Peter Jones wrote:
> > > On Mon, 2004-11-01 at 17:34 -0600, Satish Balay wrote:
> > > > Ok - you & Seth seem to have a solution to the problem.
> > > > 
> > > > Still no good explanation why ALL keys should be treated the same.
> > > 
> > > Because there's nothing about a key that tells you how to treat it.
> > 
> > Exactly. There's where "common sense" comes into play, i.e. I shouldn't
> > enable Rawhide repositories if a broken system makes me cry.
> 
> We're not just talking about rawhide.  We're talking about Axil's repo,
> and Matthais's repo, and the cdparanoia repo on my people.redhat.com
> site, and the repo on Seth's website.
> 
> There is no common sense answer to "I have 40 keys signing things and
> none of them specify what the signature means".
> 
> Quit thinking that we're talking about one key.  We're talking about
> many.

Yes. Currently the tools (RPM, the RPM format, yum, up2date) don't allow
you or me or anyone to codify what a specific key means, i.e. I can only
codify "I want only packages from a trusted origin" or nothing at all.
Well, I could if all Rawhide packages were signed ;-). Anyway, that's
what we have to tell users if they have different ideas about a key --
if it's in your RPM keyring it means RPM and up2date and yum will
install a package signed with that key without complaining to you that
it's not signed (at all or with an unknown key, doesn't matter).

> > Let's face it, currently a signed package only means "someone/-thing has
> > signed off on it" on a technical level, anything else is just what we
> > humans put into it and nothing tools can guess by themselves. I.e. we
> > can only differentiate between "keys we trust" on a certain system by
> > either putting them into yum.conf/sources or not. Everything beyond that
> > would need infrastructure that currently doesn't exist.
> 
> Yes, anything beyond that needs infrastructure that doesn't currently
> exist.  Currently yum and up2date take signatures to mean something
> beyond that, and they take all signatures in rpm's to equally in this
> regard.  That means we need infrastructure beyond looking at the key and
> guessing wildly what a signature by it means.

Currently, we can only "emulate" what you want with the available tools,
i.e. importing the Rawhide key implicitly lowers the entry level quality
of the packages that the tools will install without complaining -- and
without the tools knowing that they do it ;-). Seth's extending yum to
enable certain keys only for certain repositories helps a bit, but to
fully achieve what you describe we really have to extend RPM packages in
a way, where a signature can convey meaning beyond "this package passed
that signer". 

> yum and up2date interpret a specific meaning for a package signature: if
> the key is known to rpm, a valid signature means the package was
> transmitted as intended from the signer.
> 
> It's not even very difficult infrastructure to make (at least in the
> most naive form), but so far you've objected to nothing except my
> premise that people don't know what a signature means, which you now
> seem to agree with.  What gives?

Hey, all I said is that we shouldn't take their ill idea on what a
signature means as some kind of standard to adhere to. I think it is
wrong if we don't sign packages on that basis, it hurts us (and the
tester) more if a tester can't verify that he's actually testing the
right package (which shouldn't be intentionally malicious) than if
someone who doesn't bother to read READMEs, who will probably import any
key found on the net into his own RPM keyring ;-), install a Rawhide
package on an FC2 system. I fully agree and even proposed extending RPM
so that signatures can sign off on multiple things like "origin/build
system passed", "QA passed", ... but until this is done we have to live
with the limitations of what exists now.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011

More information about the fedora-test-list mailing list