Should Fedora rpms be signed?

Nils Philippsen nphilipp at redhat.com
Fri Oct 29 15:34:48 UTC 2004


On Fri, 2004-10-29 at 15:09 +0000, Andrew wrote:
> > On Fri, October 29, 2004 02:08 PM Jeff Spaleta wrote:
> 
> > you can grab the signed metadata with the md5sums, check the sig on that.
> > and then do a md5sum check comparing the md5sum values in the metadata
> > and the package. You can do the md5sum check by hand. This isn't much
> > different than the situation with the isos.  How do you verify you are
> > using the correct isos? you check the md5sums against an md5sum list.
> > How do you check the validity of the md5sum list?
> > You check the md5sum list signature. 
> 
> Amen!!!!!! Thank you for restating that again. I was hoping when you
> presented that before it would put all this to rest.
> Thats how digital signatures "work". I think that is really the
> BEST solution for this whole problem. 

While we're at "restating"...

- Signing a repository is not the same as signing individual packages.
With the first you need to trust two "layers", i.e. you trust that the
repo is from Red Hat because its metadata is signed with our key and you
trust the package isn't compromised because its MD5 sum matches the one
in the list. There is a reason why my trust in GPG keys is reduced the
further a specific key is away from me, e.g. if I trust you because we
both were at a key signing party and signed out respective keys, I will
trust the keys you signed elsewhere less than yours because there is
greater risk that one of the elements of the chain "breaks". This is not
because of my mistrust in your signing other keys but because I don't
believe in the absolute security of the process and the more elements
are between two "elements" of that process (me being one), the higher is
the probability that something could break and the less is my trust in
said other element.
- People who can't see the difference between a Rawhide and a RHEL final
key are likely to just ignore whether packages are signed or not.
- I can't see how making it a hassle for the people who know what
different signatures mean helps in any way.
 
> > Can rawhide packages be automatically signed... of course
> > Does autosigning help the intended, well informed, audience of the
> > rawhide packages... yes
> > Does autosigning hurt the unintended, un-informed or mis-informed
> > audience... i think it does.
> 
> > 
> > -jef
> > 
> 
> I and think the latter is a bigger and worse impact than the 
> benefit of the former!

I think the latter has no noticeable impact because of the reasons I
stated above and in other mails.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011




More information about the fedora-test-list mailing list