mock: enable gpgcheck for f8 config file

[Michael E Brown]

On Thu, Jan 03, 2008 at 04:57:45PM -0600, Michael E Brown wrote:
> On Thu, Jan 03, 2008 at 05:22:27PM -0500, seth vidal wrote:
> > 
> > On Thu, 2008-01-03 at 23:18 +0100, Till Maas wrote:
> > > On Do Januar 3 2008, seth vidal wrote:
> > > 
> > > > it uses urlgrabber which uses urllib[2] underneath. ssl connections
> > > > specific ca to focus on.
> > > >
> > > > but what does this have to do with gpg certs? gpg certs aren't ssl
> > > > certs.
> > > 
> > > When yum (rpm?) verifies ssl certificates for https urls to acquire gpgkeys, 
> > > it is possible to use these urls in the mock config, without losing (much) 
> > > security.
> > 
> > too many options here:
> > 1. rpm has nothing to do, in yum, with downloading gpg keys or packages.
> > 2. you want to use an ssl cert to verify the location we're retrieving
> > the gpg keys from? And you want to use a special CA to guarantee we have
> > the right one?
> > 3. What's the LOSS of security you're worried with?
> 
> I believe that Till is concerned with establishing a chain-of-trust so
> that we know the output RPMs from mock are good. This chain starts at
> the mock binary and goes to the mirror we download the RPMs from for the
> chroot. We have to have a way to know that what we are downloading from
> the mirror has not been compromised in any way.
> 
> Till, from a maintenance standpoint, I favor simply adding an https url
> for the gpg keys. From a security perspective, it would most likely be
> best if mock included the respective keys.
> 
> If mock is going to include keys, you should name them after the
> respective mock configs so it is easy to see when we can drop specific
> keys. RPM-GPG-KEY-fedora-8-x86_64 or something similar.

Looking at this further, not a *huge* deal, but if you add the actual
files to the mock rpm, this will break my unit tests unless you manually
copies the files into place before running the tests.
--
Michael