mock: enable gpgcheck for f8 config file

Michael E Brown Michael_E_Brown at dell.com
Thu Jan 3 22:52:58 UTC 2008 

On Thu, Jan 03, 2008 at 11:15:21PM +0100, Till Maas wrote:
> On Do Januar 3 2008, Michael E Brown wrote:
> 
> > It looks to me like the goal of adding gpg key support is to add some
> > stricter security guarantees around mock builds. It would be nice if you
> > could codify exactly what you think the security guarantee should look
> > like, and what are the possible attack vectors against this. This should
> > guide us in resolving this.
> 
> Using gpg support for mock builds makes the resulting rpm packages more 
> trustworthy, because then the rpms used to populate the chroot can be trusted 
> to be the official Fedora/CentOS ones. This is e.g. useful for uses that have 
> internet access via an untrusted network, e.g. on conferences or at 
> universities. There easily man in the middle attacks can occur, e.g. via arp 
> or dns cache poisining or on conferences via rogue dhcp servers. And it also 
> prevents against bad mirrors. Basically, using gpg for mock chroots has the 
> same advantages as using gpg for a normal system.

I would probably just focus the discussion on 'bad mirrors' or 'evil
mirrors', as the other cases discussed are all just derivatives of this
case (afaict).

> 
> > On the other hand, shipping the GPG keys with mock creates a maintenance
> > overhead, but one that I dont think is very large. These keys dont ever
> > (afaik) change, so it should be just a one time thing to get them in and
> > the configs set up.
> 
> Even when only URLS are used that point to the keys, once the keys change, it 
> is very likely that the URL changes, too. But I guess this will not happen 
> for a specific release, so only when new config files for a new Fedora or 
> CentOS release are created, maybe the gpg keys need to be adjusted.

There is an exceedingly slight advantage to having to change only a URL
in a config file over having to download and include another file. There
is also the advantage that if we support lots of default configs, we
dont have to ride herd on a directory full of gpg keys. (and knowning
when to expire them or download new ones.)

I am leaning myself towards trying if at all possible to simply use a
gpg key url.
--
Michael

More information about the Fedora-buildsys-list mailing list