Should Fedora rpms be signed?

Tue Oct 26 20:42:44 UTC 2004

On Oct 26, 2004, "nodata" <fedora at nodata.co.uk> wrote:

> Aside from the verifications carried out by the human (I'm not sure what
> these are), the signed package from Red Hat would have one important
> advantage over an unsigned package from Red Hat - that it really did pass
> through one of the Red Hat build servers.

No.  It would only prove that the package passed through a box that
had the signing key.  The more machines have access to such key, and
the more entry points such machines have, the more likely it is that
someone could abuse the keys to signing packages that didn't go
through the build servers, and the more likely it becomes that the key
leaks and starts being used for malicious purposes.  Sure enough, in a
perfect world, this shouldn't happen, but the world we live in is far
from that, so it's only reasonable to take care to avoid leaks, and to
avoid getting packages signed that didn't go through the build
system.

> I think the core issue here is that yum users tracking Rawhide should have
> a way to verify that a package has come through Red Hat.

Just don't let yum install packages that aren't signed.  How about you
start a rawhide mirror with the following properties: if a package is
not signed, it won't be in your mirror; you'll keep the previous
version of such package instead.

An alternative is to script a yum wrapper that, when encountering an
unsigned package, automatically excludes that and retries, until you
get only signed packages installed.  Heck, wouldn't it be way so cool
if yum could do it all by itself?

It's unlikely that signed packages will have dependencies on unsigned
packages, because of the way signing is done, so odds are that, given
daily rawhide pushes, you'd be able to move forward quite regularly.

> If yum could provide a lesser degree of verification, by verifying
> checksums instead of signatures, this wouldn't be a bad thing?

Err...  Doesn't it?  up2date does, and so does rpm.

>> To me, rawhide is only half a step away from CVS, should the CVS access
>> (once made public) also have every thing GPG signed?

> Perhaps :)

monotone!

-- 
Alexandre Oliva             http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}