Should Fedora rpms be signed?
John Burton
j.c.burton at gats-inc.com
Fri Oct 29 12:56:55 UTC 2004
Nils Philippsen wrote:
[...snip...]
>I still don't see how signing a package makes it more trustworthy than
>signing the repo metadata. Signing a package gives me some amount of
>trust in its origin, not its quality or whatever.
>
>
>
Jumping into this discussion face first...
As you said, signing a package gives you some amount of trust in its
origin. The trust in its quality is derived from the reputation of the
origin, i.e. I would "trust" the quality of a package signed by RedHat
before I would "trust" the quality of a package signed by Joe Schmo from
xyz. But that "trust" in the RedHat quality would probably be damaged if
they were to "sign" pre-release (rawhide) packages. So, releases should
be signed, tests should not.
As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually
attached to what you are signing. If there is a chance that package that
the signed meta-data represents can be changed without invalidating the
signature, then you've lost the authentication power of the signature.
In the non-digital world, you sign each page of a contract, not a
seperate blank page attached to the contract. Signing a blank page is
meaningless...
Okay, back to lurking in the dark shadows...
John
>Nils
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j.c.burton.vcf
Type: text/x-vcard
Size: 312 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041029/e1f5c150/attachment.vcf>
More information about the fedora-test-list
mailing list