yum update fedora-release-notes
produce
Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
this is true for about 16 pakages on my Rahwid system today
/Yonas
On Thu, 2007-10-25 at 20:48 -0400, yonas Abraham wrote:
yum update fedora-release-notes
produce
Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages aren't signed. This is intentional. Until we hit the final release, either:
1) disable 'fedora' and 'updates' repositories, and re-enable 'development' - this is best if you're planning to follow rawhide in the future
or:
2) disable 'gpgcheck' for 'fedora' - you need to remember to re-enable it when Fedora 8 is released!
Hope that helps,
-w
On 10/25/07, Will Woods wwoods@redhat.com wrote:
On Thu, 2007-10-25 at 20:48 -0400, yonas Abraham wrote:
yum update fedora-release-notes
produce
Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages aren't signed. This is intentional. Until we hit the final release, either:
- disable 'fedora' and 'updates' repositories, and re-enable
'development'
- this is best if you're planning to follow rawhide in the future
or:
- disable 'gpgcheck' for 'fedora'
- you need to remember to re-enable it when Fedora 8 is released!
Hope that helps,
-w
Thanks, I was not aware that my machine switched to "Fedora release 8 (Werewolf)". I am back to rawhide now and every thing is good now.
/Yonas
On Thu, Oct 25, 2007 at 10:51:24PM -0400, Will Woods wrote:
this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages aren't signed. This is intentional. Until we hit the final release,
Although, for the past six months or so, new packages hitting rawhide have in fact happened to have been signed.
On Fri, 26 Oct 2007 11:57:19 -0400 Matthew Miller mattdm@mattdm.org wrote:
Although, for the past six months or so, new packages hitting rawhide have in fact happened to have been signed.
Not all of them. Only packages that were in say a test release, or inherited from a previous release. There is no autosigning happening.
On Fri, Oct 26, 2007 at 11:57:19AM -0400, Matthew Miller wrote:
Although, for the past six months or so, new packages hitting rawhide have in fact happened to have been signed.
No, wait, never mind me. I am speaking crazy-talk.
Am Donnerstag, den 25.10.2007, 22:51 -0400 schrieb Will Woods:
This has been discussed a bunch of times already. Rawhide packages aren't signed. This is intentional.
That's nice. So I'll stop testing rawhide now because I don't know where the packages are from. Conveniently jumping off and on the security bandwagon at different stages in the release is a bit churlish.
It only takes one malicious unsigned package to be installed for the box to be compromised, and nothing will protect against that.
Come on though, we have auto-signing now, what was the killer reason for unsigned rpms?
On 10/28/07, Toshio Kuratomi a.badger@gmail.com wrote:
We don't have auto-sign yet. Which is the main reason we don't have signed rawhide packages.
I think if we are serious about making rawhide day-to-day friendly to encourage 'normal' people (aka Norms) to become part of the rawhide testing process we'll need to autosign..something. Is there a feature page for roadmapping rawhide non-toxic?
I think greg's right that bootable usbsticks are a pretty interesting target as a testing platform for pre-release testing.
We just need to work out a reasonable transition from the usb stick to gold release upgrade of the main system and we can add some assurance that the pre-release bits are not being tampered with.
-jef"I want a 4 gig usb stick shaped like the fedora logo that I can dedicate to rawhide testing"spaleta
On Tue, 30 Oct 2007 10:58:26 -0800 "Jeff Spaleta" jspaleta@gmail.com wrote:
I think if we are serious about making rawhide day-to-day friendly to encourage 'normal' people (aka Norms) to become part of the rawhide testing process we'll need to autosign..something. Is there a feature page for roadmapping rawhide non-toxic?
Not written down, but in my head.
1) write a signing server (work progressing) 2) deploy a signing server human driven 3) wire up a method to let koji request packages be signed for it as part of the build process. 4) profit.
On 10/30/07, Jesse Keating jkeating@redhat.com wrote:
- write a signing server (work progressing)
- deploy a signing server human driven
- wire up a method to let koji request packages be signed for it as
part of the build process.
Does this parse as koji requests auto-signing? Or is that a request to put packages in a que for the human driver to deal with?
- profit.
I'd settle for break-even.
-jef
On Tue, 30 Oct 2007 11:15:34 -0800 "Jeff Spaleta" jspaleta@gmail.com wrote:
Does this parse as koji requests auto-signing? Or is that a request to put packages in a que for the human driver to deal with?
As to not delay rawhide composes, the correct thing is to sign a package as soon as it's tagged for something that is going to rawhide. So either koji needs to do it itself, or we need to have some daemon that listens for tag successes and kicks off a signing request (or a scheduled "sign all in dist-rawhide" run which can be... slow").
But since that's step 3, I'm not committing to any design until steps one and two are complete.
On 10/30/07, Jesse Keating jkeating@redhat.com wrote:
But since that's step 3, I'm not committing to any design until steps one and two are complete.
You are absolutely no fun.
-jef
nodata wrote:
Am Donnerstag, den 25.10.2007, 22:51 -0400 schrieb Will Woods:
This has been discussed a bunch of times already. Rawhide packages aren't signed. This is intentional.
That's nice. So I'll stop testing rawhide now because I don't know where the packages are from. Conveniently jumping off and on the security bandwagon at different stages in the release is a bit churlish.
It only takes one malicious unsigned package to be installed for the box to be compromised, and nothing will protect against that.
Come on though, we have auto-signing now, what was the killer reason for unsigned rpms?
A malicious package that gets placed into the system by a maintainer would come flying down into your system 'signed' by an autosign process too... and you'd happily not notice. That maintainer would pretty soon get reprimanded and the packages cleaned up, but really nothing is in place to prevent that either (in rawhide). Testing rawhide isn't for boxes with corporate sensitive data...
If you keep an eye on where your packages are coming from, even for rawhide, then you can be sure that only authorized maintainers have put them into the system (control which mirrors you're pulling them from). Actually signing the package from the build system would change very little other than insure that the mirror you're downloading from did not bring in a new package that doesn't belong.
So as it stands, you have to extend trust to the maintainers, and the mirror. You can pick which mirror you trust.
Hi.
On Sun, 28 Oct 2007 13:40:25 -0700, Andrew Farris wrote
A malicious package that gets placed into the system by a maintainer would come flying down into your system 'signed' by an autosign process too... and you'd happily not notice.
Yes. That waoy I'd have to trust the maintainer and our build system.
As it stands now, I have to trust the maintainer, the build system and the rest of the internet.
Which is rather a lot of trust.
On So Oktober 28 2007, Andrew Farris wrote:
prevent that either (in rawhide). Testing rawhide isn't for boxes with corporate sensitive data...
This seems not to be common knowledge, because afaik even Fedora Maintainers use Rawhide on a system, where they create new packages.
Actually signing the package from the build system would change very little other than insure that the mirror you're downloading from did not bring in a new package that doesn't belong.
Imho it is a big benefit, because it is very easy for a mirror maintainer to change a package. Also someone who breaks into a mirror can easily cause heavy damage. And last but not least, the manipulation of the package can also happen on the connection to the mirror, e.g. on conferences with free/open wifi/internet access.
Regards, Till
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
If you keep an eye on where your packages are coming from, even for rawhide, then you can be sure that only authorized maintainers have put them into the system (control which mirrors you're pulling them from). Actually signing the package from the build system would change very little other than insure that the mirror you're downloading from did not bring in a new package that doesn't belong.
It worries me massively, from a security perspective, that someone from inside Red Hat would say something as wrong as this.
So as it stands, you have to extend trust to the maintainers, and the mirror. You can pick which mirror you trust.
Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata:
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
If you keep an eye on where your packages are coming from, even for rawhide, then you can be sure that only authorized maintainers have put them into the system (control which mirrors you're pulling them from). Actually signing the package from the build system would change very little other than insure that the mirror you're downloading from did not bring in a new package that doesn't belong.
It worries me massively, from a security perspective, that someone from inside Red Hat would say something as wrong as this.
Oh, you don't work for Red Hat. Sorry. But your statement is still completely off the field.
So as it stands, you have to extend trust to the maintainers, and the mirror. You can pick which mirror you trust.
tis 2007-10-30 klockan 19:25 +0100 skrev nodata:
It worries me massively, from a security perspective, that someone from inside Red Hat would say something as wrong as this.
Trusting the network is sadly quite common. That sort of thinking is something we in the Unix and free software world need to get rid of right now if we want to keep telling people we have the most secure systems.
I'd much rather trust "packages signed with the rawhide auto-sign key" than "packages which the internet sends you when you ask for rawhide bits".
/abo