Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Mon Nov 1 18:24:19 UTC 2004
On Mon, 1 Nov 2004, Peter Jones wrote:
> On Fri, 2004-10-29 at 09:44 -0500, Ian Pilcher wrote:
> > Jeff Spaleta wrote:
> > >
> > > Can rawhide packages be automatically signed... of course
> > > Does autosigning help the intended, well informed, audience of the
> > > rawhide packages... yes
> > > Does autosigning hurt the unintended, un-informed or mis-informed
> > > audience... i think it does.
> > >
> >
> > So you're suggesting that the use of signed packages should be limited
> > by some "least common denominator" of ignorant users? I suspect that
> > if you broadly adopt that principle, you won't be real happy with the
> > results.
>
> No, this is the wrong problem to discuss. The problem isn't that the
> users are ignorant. The problem is that we've systematically taught
> them what to expect a signature means, and we're going back and saying
> that sometimes -- only sometimes -- it only means part of that.
>
> That's a serious flaw, and it's one we must address before we consider
> implementing any sort of automatic signatures. The way to do so is to
> separate the task of verifying the source (or even the chain of sources,
> if there are mirrors of mirrors) from that of verifying trust of the
> contents.
Are you saying - currently when a package is gpg-signed by a person -
he/she actually goes through a manual process of verifying the
following?
- source is not tampered (including the intial .tar.gz, patches, .spec files)
- binary is not tampered
- source -> binary process didn't introduce 'ANY' tampering?
If not - I don't see any big change - as far as user perception goes
on gpg-sigining on build system.
For us users there is no confusion:
- 'rawhide-key' is different from 'redhat-key' - so there is no confusion here.
- 'gpg' singed packages doesn't => stability (aka rawhide can always
eat data) - so no confusion here..
Satish
More information about the fedora-test-list
mailing list