On Tue, 2008-08-26 at 11:56 +1000, Bojan Smojver wrote:
In the light of recent RPM signing intrusions, maybe we should
resurrect
the RPM feature where multiple signatures are allowed (i.e. --addsign is
different to --resign)? With this we could then require N good
signatures (and no bad ones) on each package before yum would trust the
content.
Signatories could also use alternative build systems with no public
access (e.g. their own, Matt's at Dell etc.) to verify package checksums
before signing, in order to avoid trusting a compromised Fedora build
system.
I think the checksums would be the hardest part. Build times, hosts
and other details are very often embedded into a build.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team
http://samba.org
Samba Developer, Red Hat Inc.