Seth Vidal <skvidal <at> fedoraproject.org> writes:
I think it will complicate things a lot for users to verify
Users wouldn't actually have to verify anything by hand. The idea was that yum
does that for them. I don't see how that would be any more complicated then now.
Say there are 10 signatories in the pool. Yum would check that:
- the package is signed with the Fedora key
- the package is signed by at least N (say 2) other keys from the pool
- failing the above, it would not accept the package
N could even be configurable in yum for smooth transition from the single key
scenario.
and it's not
obvious how much we'll gain in terms of security.
It is similar to what a reporter does to confirm a story. One source, not so
reliable. Two sources, more reliable. Many sources, most likely reliable.
In terms of attacks, right now if somebody gets a hold of the password of the
Fedora key, it's game over. Ditto if someone compromises the build system to
start producing bad binaries.
With the multi-key, multi-build system, an attacker would need to get his hands
on a lot of private key passwords, break multiple independent build systems etc.
I always think of flight attendants and how they are told by the captain to
secure the doors and cross-check. I'm sure there must be a good reason for that
cross-check :-)
--
Bojan