Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Mon Nov 1 21:24:54 UTC 2004
On Mon, 1 Nov 2004, Peter Jones wrote:
> On Mon, 2004-11-01 at 12:24 -0600, Satish Balay wrote:
> >
> > Are you saying - currently when a package is gpg-signed by a person -
> > he/she actually goes through a manual process of verifying the
> > following?
> >
> > - source is not tampered (including the intial .tar.gz, patches, .spec files)
> > - binary is not tampered
> > - source -> binary process didn't introduce 'ANY' tampering?
>
> I'm saying that when we release signed packages as Fedora or as Red Hat,
> we are acknowledging that we intend for all of these to be the case, and
> that we believe they are. That is to say that when we distribute a
> signed package it generally holds true, and is assumed to be true, that:
>
> - we've not included malicious code from the upstream
> - we don't think there are negative legal ramifications of
> us distributing that package in the distro
> - the source has not been maliciously tampered while retrieving
> it from the upstream source
> - the packaging itself is reasonable and will not harm your system
> when used appropriately
> - the process of compiling it did not introduce harmful changes
> which should have or could have been known ahead of time (that is,
> that the build environment can be trusted not to introduce problems)
> - for Fedora Core packages, the packages are free software
> - the packages are really from us (the signer)
>
> This is at least the case when we release a distro, a release candidate,
> or a test release in which the packages are signed. And in the very
> minor variations where one of these points isn't the case, the
> perception is still that they all are. That's what's important here,
> not the intent. If the intent isn't perfectly clear when looking at the
> data and the tools, then it doesn't make any difference to our users.
Ok - I had to respond to this.
The correct thing to do is to document the above text for EACH gpg-key
redhat uses. Saying the text is the SAME for ALL keys (hence can't
sign rawhide) is wrong.
And you haven't specified what the gpg-singer does (the process he
uses) to provide the above checks before signing.
>
> I further stipulate that unless there is actually some observable,
> immutable data to signify that a signature means only that the source
> has been verified, many users will assume that any signature represents
> _all_ of these things, and they are justified in this assumption.
There will always be wrong assumption. The fix is documentation.
> The problem that people are hoping to address is inconvenience of
> testing rawhide packages because they are not signed. Right now,
> package update tools have no option but to check both if the package
> data is correct and if the package is the one intended to be in the
> repo.
>
> Update tool authors resist making signature checking configurable on a
> per-repo basis, which would alleviate the strain but reduce the overall
> utility of the tools.
yum has an option to do independent 'gpg-checks' on each repository. So this
is not the problem.
> At the same time, users of rawhide and update
> tools really only care that the package is from the repo, not anything
> else. So the best answer, IMO, is to make it so that you can say "this
> is the right package" without all of the other implications, and then to
> change the update tools so that you *can* say "for this repo, I only
> care that the package is really from the repo". We don't need to check
> our traditional "package signature" per se; we need to check only that
Now you are coming up with a complex system just to justfy using
multiple gpg-keys with the exact same meaning.
I'll stop now.
Satish
More information about the fedora-test-list
mailing list