[fedora-virt] GPG signatures for Rawhide virt repo

Mark McLoughlin markmc at redhat.com
Fri Jun 5 13:40:04 UTC 2009

Hi Ján,

On Fri, 2009-06-05 at 13:21 +0200, Ján ONDREJ (SAL) wrote:
> Hello,
>   Mark, can you please add signatures to vire-preview packages? Installation
> of totally unsigned packages on my machine is not a good idea, because I
> don't know, if they was changed by an attacker on internet.

I've added this to the TODO list[1], but I don't think it takes priority
over the other items on the list since the repository is a subset of
rawhide and rawhide is usually unsigned.

If we do this, though, we should implement this in a relatively secure
manner so as to not merely give the illusion of security e.g.

 1) The key should be password protected and kept somewhere safe; I
    don't see why people should have confidence in packages signed with
    a password-less key stored on my laptop

 2) Key distribution - putting the public key in a text file in the repo
    doesn't help; if the repo can be compromised, so can that text file
    - perhaps we could include the key in an F-11 RPM?


[1] - http://markmc.fedorapeople.org/virt-preview/README

More information about the Fedora-virt mailing list