Why are updates processed so slowly?
Jesse Keating
jkeating at redhat.com
Fri Feb 6 22:41:54 UTC 2009
On Fri, 2009-02-06 at 23:17 +0100, Joshua C. wrote:
>
> What about the signing server? How should it replace the human factor?
> Why is it so complicated to be implemented?
The signing server will replace the current act of a human inputting a
GPG passphrase at package signing time. The server itself will use
mechanisms so that the signing human just has to authenticate with the
server, and the server will decide if that user is allowed to make use
of a given key, and do the passphrasing for the user. It allows us to
grant access to more humans without having to share the phassphrase and
the actual key files. Right now, to add anybody else to the signing
pool, we have to give them the private keys as well as the passphrases,
which means we can never revoke their ability to sign things under
Fedora's name.
With the signing server, we can revoke their rights to sign, and be done
with it. They never possess the private key, nor the passphrase
necessary to use it.
The complexity comes in with trying to design something that is secure,
yet is usable by people on the Internet. Further complexity comes in
with wanting to use larger bitsize keys for F11+ and the current koji
code not supporting such keys. It is a multifaceted issue.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090206/24880104/attachment.sig>
More information about the fedora-devel-list
mailing list