On Thu, Jan 03, 2008 at 11:15:21PM +0100, Till Maas wrote:
On Do Januar 3 2008, Michael E Brown wrote:
> It looks to me like the goal of adding gpg key support is to add some
> stricter security guarantees around mock builds. It would be nice if you
> could codify exactly what you think the security guarantee should look
> like, and what are the possible attack vectors against this. This should
> guide us in resolving this.
Using gpg support for mock builds makes the resulting rpm packages more
trustworthy, because then the rpms used to populate the chroot can be trusted
to be the official Fedora/CentOS ones. This is e.g. useful for uses that have
internet access via an untrusted network, e.g. on conferences or at
universities. There easily man in the middle attacks can occur, e.g. via arp
or dns cache poisining or on conferences via rogue dhcp servers. And it also
prevents against bad mirrors. Basically, using gpg for mock chroots has the
same advantages as using gpg for a normal system.
I would probably just focus the discussion on 'bad mirrors' or 'evil
mirrors', as the other cases discussed are all just derivatives of this
> On the other hand, shipping the GPG keys with mock creates a maintenance
> overhead, but one that I dont think is very large. These keys dont ever
> (afaik) change, so it should be just a one time thing to get them in and
> the configs set up.
Even when only URLS are used that point to the keys, once the keys change, it
is very likely that the URL changes, too. But I guess this will not happen
for a specific release, so only when new config files for a new Fedora or
CentOS release are created, maybe the gpg keys need to be adjusted.
There is an exceedingly slight advantage to having to change only a URL
in a config file over having to download and include another file. There
is also the advantage that if we support lots of default configs, we
dont have to ride herd on a directory full of gpg keys. (and knowning
when to expire them or download new ones.)
I am leaning myself towards trying if at all possible to simply use a
gpg key url.