Should Fedora rpms be signed?

nodata fedora at nodata.co.uk
Fri Oct 29 14:25:24 UTC 2004


> On Fri, 29 Oct 2004 15:36:47 +0200, Nils Philippsen <nphilipp at redhat.com>
> wrote:
>> This still forces me to use special tools like up2date and yum to access
>> the packages if I want to verify their origins.
>
> actually...no.
>
> you can grab the signed metadata with the md5sums, check the sig on that.
> and then do a md5sum check comparing the md5sum values in the metadata
> and the package. You can do the md5sum check by hand. This isn't much
> different than the situation with the isos.  How do you verify you are
> using the correct isos? you check the md5sums against an md5sum list.
> How do you check the validity of the md5sum list?
> You check the md5sum list signature.
>
> You might argue it would be a good idea if there was a signed flat
> md5sum list for all packages as well as the xml metadata, so the
> md5sum command could use it. And then I'll tell you, you need to
> accept the inevitable future of xml for all possible human
> communication adopted by unanimous United Nations resolution, and you
> should fix md5sum to parse xml structure files for md5sum sigs :->
>
> And I really really really don't want to encourage people to use
> rawhide packages randomly from something like an online rpm warehouse.
> I don't want misinformed people, being able to pick up an individual
> rawhide package, see that its signed, and use the fact that there is a
> verifable signature as an easy excuse to assume its totally okay to
> install. This sort of crap happens a lot with unsigned rawhide, and I
> don't want people who misunderstand what a signature really means to
> feel more comfortable installing rawhide packages when they should not
> be.  There is a gap between, the technical definition of what signing
> a package means, and common perception of what a signed package means.
>  My concerns is not for people like yourself, who understand that a
> rawhide key doesnt mean anything beyond 'this package was built on the
> automated rawhide build system."  My concern is for the people, the
> much larger group of people, who will misinterpret the level of trust
> associated with ANY key and will be that much more inclined to install
> a random rawhide package they happen to find outside of a rawhide
> mirror, without thinking about it at all.  It doesn't help that as of

But "rpm" doesn't require a signature for an install. yum does.

If an ill-informed users downloads and installs a rawhide package, they'd
never find out whether it was signed or not.

Only users tracking rawhide with yum will be told about this missing
signature, and these aren't the ill-informed ones (in your example).

> now rpm key importation can't handle signed keys, and thus
> web-of-trust metrics can't be used natively to produce a metric of
> trust of keys.  How do you implement verification for those people who
> understand what it means, without giving a false sense of security and
> trust for those people who are misinformed about the process who end
> up using the rawhide packages out of their original context?  I say
> you sign the metadata and have the informed people use the package
> metadata for verification.
>
> Can rawhide packages be automatically signed... of course
> Does autosigning help the intended, well informed, audience of the
> rawhide packages... yes
> Does autosigning hurt the unintended, un-informed or mis-informed
> audience... i think it does.
>
> -jef
>
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-test-list
>




More information about the fedora-test-list mailing list