Should Fedora rpms be signed?

nodata fedora at nodata.co.uk
Tue Oct 26 13:38:35 UTC 2004 

> On Tue, 2004-10-26 at 15:13 +0200, nodata wrote:
>> > This has been discussed over and over, so look at the archives.
>> Basically
>> > it boils down to the Rawhide RPMs being automatically generated when
>> there
>> > isn't always someone around to sign them.  Since the whole point of
>> > Rawhide is to get new bits out the door the choice is made not to hold
>> > them for a live body to sign them.
>>
>> Then perhaps rawhide should be signed with a separate key that signs the
>> packages without a live body.
>>
> If this is done then it severely reduces the relevance of having them
> signed in the first place.
>
> My understanding is that, when a package is "signed" by redhat, a human
> steps up to the plate, does certain verifications, then puts in the pass
> phrase, and hey presto you have a signed package.
>
> Your suggestion automates the whole process, and drastically reduces the
> security model.

True, hence the suggestion for a separate key.

Aside from the verifications carried out by the human (I'm not sure what
these are), the signed package from Red Hat would have one important
advantage over an unsigned package from Red Hat - that it really did pass
through one of the Red Hat build servers.

How can a Rawhide package perhaps downloaded from a _mirror_ be verified
without a signature?
Well maybe MD5sums could be used - they provide the verification that a
file probably hasn't been tampered with, but without the authenticity of a
key signed file.

MD5sums are probably already available for Rawhide, but yum doesn't
(AFAIK) verify these against MD5sums published by Red Hat on Red Hat's
site.

I think the core issue here is that yum users tracking Rawhide should have
a way to verify that a package has come through Red Hat. The current mix
of some-signed some-not packages leads to the constant suggestion on this
list that gpg checking should be turned off.
If yum could provide a lesser degree of verification, by verifying
checksums instead of signatures, this wouldn't be a bad thing?

> Personally, I am 100% happy for the sandpit to continue to be unsigned,
> so long as test/released packages are signed, I am happy.
>
> To me, rawhide is only half a step away from CVS, should the CVS access
> (once made public) also have every thing GPG signed?

Perhaps :)

> Doug
> --
> Douglas Furlong
> Systems Administrator
> Firebox.com
> T: 0870 420 4475        F: 0870 220 2178
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-test-list

More information about the fedora-test-list mailing list