warning to list

Alexandre Oliva aoliva at redhat.com
Tue Oct 26 13:47:21 UTC 2004 

On Oct 25, 2004, Matias Féliciano <feliciano.matias at free.fr> wrote:

> Do you mean that RHEL does not have its owner Rawhide during beta
> cycle ?

I think that's a RHN repository, which certainly goes through more
scrutiny.  I may be wrong on this, I'm more of a Fedora-tracking
person myself.

>> It's just a dump of the latest
>> builds of every package in the Red Hat build system

> To be honest, I am not surprised :-)

Why would you be?  That's exactly what it has always been.  Has anyone
ever implied it to be anything different?

> Signed rpm mean : You can verify the "origin" of the package.

Yeah.  If it's signed automatically, upon request from some random (or
even specific) machine without interactive password authentication, it
means the signature is not worth much.

> pub  1024D/1CDDBCA9 2003-10-27 Fedora Project automated build signing key (2003) <rawhide at redhat.com>

This signature is actually manual.  One of the few people who control
the keys has to be there to put it there.

>> for being generated with a
>> key not protected by a passphrase, stored on a box not exactly secure.

> Sorry, but it's Red Hat/Fedora concern.
> I am surprise to learn that Red Hat is not able to set up a secure box
> only to automatically sign package.

Nobody is.  One could think it's secure, but as soon as there's a
break in, security assumptions break down, and then, the safer the
keys are, the better.

> You can not say "signed rpm is not valuable" because "build server is
> not secure".
> Add to your TODO list :
> - first : Secure build server
> - second : Add an automated signature

You're mixing things up here.  It is (IIUC) sufficiently secure.
Opening up a hole to enable automated signatures wouldn't make it any
more secure; it would actually only reduce the value of such a
signature.

> Without signed rpm, *each* mirror can content a trojan ...
> Each mirror should be secure.
> With signed rpm, _only_ the build system should be secure.

No disagreement here.  Looks like what you want is something other
than rawhide.  You want something that has undergone manual signing.

> AFAIK, all beta packages of RHEL are signed.

So are all Fedora packages in Fedora Test releases.

I suppose RHEL's equivalent of the Fedora Core Development tree,
should it actually be a RHN channel as I believe it is, may be subject
to RHN's requirements, which probably includes package signing.  This
means it's not latest-and-greatest, but rather
latest-and-greatest-that-already-got-signed.

> gpg is not a QA. gpg is "only" for security and authentication propose.

And if it's signed with a key that's not protected with a passphrase,
you're not supposed to trust the key anyway, so what is it worth?  You
certainly don't get any security or authentication from it.

(ok, you get a tiny little bit, if you believe that *nobody* will
*ever* be able to break into such an automatic signing machine you're
talking about and steal the signing key from it.  I'd rather trust a
secure key.)

> Do you mean that when package are "manually" signed they are carefully
> checked ?

No, just that the passphrase is (or should be) entered only on a box
that's physically secure and doesn't accept incoming connections,
which significantly reduces the possibility that someone would be able
to break into it and obtain access to the signing key.  And, even if
they somehow do, there's a passphrase protecting it.

I'll give you that it would be possible to have such a box hold the
passphrase in a signing agent, and have an automated process that
monitors the build system and goes off signing packages as they make
it through it (i.e., without incoming notifications), but this means
that the passphrase would be exposed for far longer than needed to
sign specific packages, making the signing key less secure.

Heck, even the signing key itself shouldn't be available except while
signing packages.  It should ideally be in removable media, only
connected to the signing machine while signing packages.

This all, of course, doesn't mean no attention has to be paid to the
security of the box on which you sign packages.  It just means keeping
it as secure as possible isn't enough to ensure the key is safe.

-- 
Alexandre Oliva             http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}

More information about the fedora-test-list mailing list