Time to resurrect multi-key signatures in RPM?
Nils Philippsen
nils at redhat.com
Wed Aug 27 21:52:44 UTC 2008
On Wed, 2008-08-27 at 21:42 +0000, Bojan Smojver wrote:
> Les Mikesell <lesmikesell <at> gmail.com> writes:
>
> > But what if
> > it is the src rpm that is compromised so the builds will be identical
> > because they both contain the modification?
>
> That is not exactly the compromise of the build system and/or Fedora key, now is
> it? If your own contributors are subverting the system by uploading borked
> source, the mutli-key system isn't going to help (and I never claimed that).
>
> For people that are not convinced in the usefulness of this (in principle), go
> the a bank and try to open an account. See if they'll be OK with you producing
> just one piece of ID.
Not to fan the flames, but last time they did just that :-). And I'm
pretty sure they'll do it again, possibly because the IDs in question
are very hard to fake.
Nils
--
Nils Philippsen "Those who would give up Essential Liberty to purchase
Red Hat a little Temporary Safety, deserve neither Liberty
nils at redhat.com nor Safety." -- Benjamin Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
More information about the fedora-devel-list
mailing list