mock: enable gpgcheck for f8 config file
Michael E Brown
Michael_E_Brown at dell.com
Thu Jan 3 22:52:58 UTC 2008
On Thu, Jan 03, 2008 at 11:15:21PM +0100, Till Maas wrote:
> On Do Januar 3 2008, Michael E Brown wrote:
>
> > It looks to me like the goal of adding gpg key support is to add some
> > stricter security guarantees around mock builds. It would be nice if you
> > could codify exactly what you think the security guarantee should look
> > like, and what are the possible attack vectors against this. This should
> > guide us in resolving this.
>
> Using gpg support for mock builds makes the resulting rpm packages more
> trustworthy, because then the rpms used to populate the chroot can be trusted
> to be the official Fedora/CentOS ones. This is e.g. useful for uses that have
> internet access via an untrusted network, e.g. on conferences or at
> universities. There easily man in the middle attacks can occur, e.g. via arp
> or dns cache poisining or on conferences via rogue dhcp servers. And it also
> prevents against bad mirrors. Basically, using gpg for mock chroots has the
> same advantages as using gpg for a normal system.
I would probably just focus the discussion on 'bad mirrors' or 'evil
mirrors', as the other cases discussed are all just derivatives of this
case (afaict).
>
> > On the other hand, shipping the GPG keys with mock creates a maintenance
> > overhead, but one that I dont think is very large. These keys dont ever
> > (afaik) change, so it should be just a one time thing to get them in and
> > the configs set up.
>
> Even when only URLS are used that point to the keys, once the keys change, it
> is very likely that the URL changes, too. But I guess this will not happen
> for a specific release, so only when new config files for a new Fedora or
> CentOS release are created, maybe the gpg keys need to be adjusted.
There is an exceedingly slight advantage to having to change only a URL
in a config file over having to download and include another file. There
is also the advantage that if we support lots of default configs, we
dont have to ride herd on a directory full of gpg keys. (and knowning
when to expire them or download new ones.)
I am leaning myself towards trying if at all possible to simply use a
gpg key url.
--
Michael
More information about the Fedora-buildsys-list
mailing list