Fedora News Updates #1
Warren Togami
warren at togami.com
Wed Jan 7 12:40:16 UTC 2004
Andy Green wrote:
>
> This is the tip of an iceberg. For example, how many binary RPMs have we
> installed on our machines, signed or unsigned? Its possible that the
> signer's machines were compromised, or upstream sources attacked and then the
> results signed... and we have to install RPMs as root, so the scripts inside
> them run as root... for unsigned RPMs you are forced to trust the packager's
> good faith.
>
> -Andy
The last sentence is not true of unsigned RPMS. All the signature does
is mean "this package is probably signed by this GPG key owner". An
unsigned package is in far worse situation because there is NO WAY of
telling if that package was replaced by an imposter trojaned package
either at the source, or on a compromised mirror.
Signatures survive and are verifiable even after the message (or
package) has changed hands many times. Unsigned packages are totally
not verifiable.
For this reason everyone should sign absolutely everything. While
signatures alone don't protect you from malicious code or binaries, they
help to create a paper trail.
More information about the fedora-list
mailing list