On Thu, Mar 31, 2016 at 01:39:17PM -0000, Ralf Senderek wrote:
But the MUST has some implications:
1) The packager's trust-building activities into the public key are by no
means optional.
Yes, the whole exercise would be pointless otherwise.
2) Patches, that are applied to the signed (and checked) source must
also be
signed by the packager and checked in %prep.
No, that would be just a waste of
time.
We trust dist-git contents. The patches are stored in dist-git, so
they are already trusted (in the sense that we know that the patch is
what the maintainer committed), so signing them brings has no benefit.
(The maintainer should check the patch before committing it, of course).
From an ordinary Fedora user's point of view modifications of the
trusted
source code should also be properly attributed to the one who modified.
If upstream signs its code it is for the purpose to better distinguish
original and patched code. So in order to add accountability, patches must be
signed as well.
I don't buy that reasoning. You sign stuff to prevent silent
modification (because of malice or corruption), and not to track
changes, we have better mechanisms for that.
If you want to see who changed what, look at the spec file.
In particular, note that "sed in %prep" is just as effective in changing
stuff as a patch, so it makes no sense to just sign the patches in
dist-git, you'd have to sign the whole dist-git contents.
3) While the new tarball can be a URL, the public key ring cannot be
allowed
to be downloaded, it must be produced by the packager and added as a file
to the SOURCE directory.
Yes.
Zbyszek