Should Fedora rpms be signed?

Féliciano Matias feliciano.matias at free.fr
Fri Nov 5 16:51:47 UTC 2004 

Le vendredi 05 novembre 2004 à 11:10 -0500, Peter Jones a écrit :
> On Thu, 2004-11-04 at 23:45 +0100, Féliciano Matias wrote:
> > Le jeudi 04 novembre 2004 à 15:37 -0500, Peter Jones a écrit :
> > > Also note that those which are signed are currently signed by hand, and
> > > one thing people have been advocating is automatic signing.  Automatic
> > > signing, I'll obviously argue, is a total loss.
> > 
> > What is a ssl server if it's not an automatic signing machine ?
> > Total loss...
> 
> That's completely ignoring the contexts of package distribution and the
> policies put in place by current package update tools.  None of them
> trust packages *just* because they are fetched over SSL,

Again, you (and many others) are mixing things.

a)
I do not trust rawhide package (for mission critical system).
I trust RHEL packages (for mission critical system).

b)
I can't trust the origin of unsigned rawhide package.
I can't trust the origin of unsigned RHEL package.

c)
I trust the origin of signed rawhide package.
I trust the origin of signed RHEL package.

a) is not related to signed or unsigned packages.
Should I trust/install RHEL packages _only_ because they are signed ?
NO !

Signed RHEL packages guaranties the package origin. Nothing more.
Support and reputation of Red Hat give me the "feeling" that I should
trust RHEL package (My knowledge tell me this is true only for a RHEL
installation and with a good administrator :-)).

Should I trust this package only because it is signed ? :
$rpm -K -v hdparm-5.7-2.2.i586.rpm
hdparm-5.7-2.2.i586.rpm:
    Hachage de l'entête SHA1: OK
(91f6e5752df69fb07a8f28badd3c90e91eaa0c37)
    Somme MD5: OK (eb24fab7ac89e67fb2e882fd11e7ee07)
    signature V3 DSA: NOKEY, key ID 9c800aca

Is this package suitable for mission critical ? :
$ rpm -K -v hdparm-5.7-2.i386.rpm
hdparm-5.7-2.i386.rpm:
    Entête signature V3 DSA: OK, key ID 4f2a6fd2
    Hachage de l'entête SHA1: OK
(0115990d6b8e85627bdf24a1f7f8f74627ea5a2b)
    Somme MD5: OK (9621b9025c6538da72605fade8d028ed)
    signature V3 DSA: OK, key ID 4f2a6fd2

You can *not* answer these two questions only with the signature.
Period.

Signed package, mean ONE thing and only ONE thing.
We should not base own through on wrong definition.

It's time to Red Hat to define what Rawhide is/mean. Signed (or not)
package is out of the scope of this definition.

>  nor do they
> reject packages which aren't.
> -- 
>         Peter
>

More information about the fedora-test-list mailing list