Time to resurrect multi-key signatures in RPM?

Nils Philippsen nils at redhat.com
Thu Aug 28 10:48:56 UTC 2008


On Thu, 2008-08-28 at 20:07 +1000, Bojan Smojver wrote:
> On Thu, 2008-08-28 at 10:49 +0200, Nils Philippsen wrote:
> 
> > Just about every bank in Germany would operate like this. After all, we
> > do have a national ID that is hard enough to fake(*) and if you present
> > it to entities like banks, they usually make a copy and can verify the
> > data on the ID with the "Einwohnermeldeamt" (possibly "residents
> > registration office").
> 
> In other words, they only marginally trust that ID card. Therefore, they
> cross-check with the office (but most likely NOT the person that issued
> the card) that what is on that document is ACTUALLY true.

I don't know if they do that at all or with everybody, in fact I'm
pretty sure they will accept the IDs at face value. Maybe they verify
old documents that don't have all the gizmos that make the ID hard to
fake today. I just wanted to point out that they can do that.

> Think of the card as the RPM coming out of Fedora build system, signed
> with Fedora key (i.e. all the hard to get paraphernalia that the card is
> made of). Think of the phone call to the office as a comparison to an
> independently built RPM. Think of the act of opening the bank account as
> an independent signatory signing the RPM.

All this doesn't help much if somebody manages to feed the process with
corrupt data in the beginning -- be that a fake ID when applying for
replacement for an expired ID, or somebody corrupting the repository
that keeps the source that is fed to the builders. Besides the
difficulties in making distributed build verification work solidly, we
have to harden the system/process that feeds the builders in the first
place -- which is already much easier than say hacking the builders.
Otherwise it's just GIGO, all pain and no gain.

Nils
-- 
Nils Philippsen      "Those who would give up Essential Liberty to purchase 
Red Hat               a little Temporary Safety, deserve neither Liberty
nils at redhat.com       nor Safety."  --  Benjamin Franklin, 1759
PGP fingerprint:      C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011




More information about the fedora-devel-list mailing list