Should Fedora rpms be signed?

Rodolfo J. Paiz rpaiz at simpaticus.com
Fri Oct 29 18:45:45 UTC 2004 

On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote:
> I see no downside in repo metadata signing either, it's a good thing
> actually. But it is not an argument on why packages shouldn't be signed
> individually.
> 

Sigh... backing up a few steps for historical clarification:

Matías argued that, because *some* Rawhide packages are not signed, one
does not have for those packages *any* ability to see that what is on a
mirror is in fact exactly what came out of the Red Hat buildsystem. He
argued pro signing of all Rawhide packages.

Others argued that this has either no value or negative value. A debate
ensued as to whether passwordless keys would be better than nothing or
worse than nothing.

Someone suggested that, for those Rawhide packages which were not
signed, one possible way to get that benefit of knowing that package XYZ
on Server A is bit-identical to the one on the main Rawhide server was
to sign the repo metadata. It was suggested that this would provide an
additional benefit to the rest of the world, at no real downside.

I really liked the idea and said basically that if this has good benefit
and no real downside, then how do we get it done?

You came on scene and started arguing that it was a Bad Thing which
would destroy the world as we know it. ;-) We now realize that you are
not "contra repo signing" but rather "pro package signing".

So welcome to the club. I am also pro package signing, but some Rawhide
packages are not signed and at least repo signing helps provide some
benefit, and I like that benefit. Matías is vehemently pro signing
*every* package, and some people have responded that they either don't
want to sign all Rawhide packages, or perhaps even don't want to sign
any Rawhide packages. I'll leave exact interpretations to you when you
read through the archived thread.

Now... the whole point of this thread is now to:

 1. Argue that all packages should be signed, even all Rawhide. There
appear to be strong feelings either way.

 2. In context, it also appeared that repo signing could also be
implemented as an *additional* measure that would provide some good
benefits. I have not seen any arguments against that other than yours.

What do you think of those two thoughts?

Cheers,

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041029/ddf9088d/attachment.sig>

More information about the fedora-test-list mailing list