Updates System

[Nicolas Mailhot]

Le mercredi 16 mai 2007 à 11:18 -0500, Josh Boyer a écrit :
> On Wed, 2007-05-16 at 09:02 -0700, Chris Weyl wrote:
> > 
> > * a "make push" command that could be run to push a package w/o any
> > manual intervention.  For most packages, a "make tag build push" would
> > suffice, and the world wouldn't come to an end.
> 
> That should never happen for updates.  Packages are signed and you need
> a human to sign them.  Automating the signing process is absurd because
> if that's done, there is no point in signing things anyway.

Of course there is.
It's not as strong as manual signing but it prevents
$random_script_kiddie dumping files on one of the numerous Fedora
mirrors and have them propagated to user systems (Did the various
auto-signing opponents ever bothered with a security audit of every
Fedora mirror? Why would an attacker even bother with the root system
when there are countless mirrors to attack?)

Besides if someone manages to get access to the machine that does the
signing, he can probably inject files in the root mirror whether they
are signed or not, so you could as well advocate removing direct network
feed of this system and require rel-eng to push the packages manually
via a "secured" physical usb key.

We all know manual signing is ideal.
It's not practical for fedora-devel.
And auto-signing is a hell more secure than no signing at all

(on a similar vein refusing to do repotags bacause "filename" is not
secure is ridiculous, filename is not secure with or without repotags,
that's no reason not to have useful descriptive filemanes)

-- 
Nicolas Mailhot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070516/948dbf82/attachment.sig>