Time to resurrect multi-key signatures in RPM?

[Bojan Smojver]

Bruno Wolff III <bruno <at> wolff.to> writes:

> I don't think you are really going to gain much from doing that.

This depends on a particular point of view, of course. If it so happened that
Fedora (and/or RHEL) signing key was compromised during the most recent
intrusion, it would have been game over for users. Not so if packages had to be
signed by multiple keys before being accepted by yum.

> and adds a dependence on third parties

I see that as a feature, actually. It eliminates single point of failure.

> And it doesn't completely prevent people from getting bad code signed.

I don't think it is possible to design a system that does that completely. But,
at least you have more folks looking over the packages (from multiple sources)
before signing them - more chance of spotting inconsistencies.

--
Bojan