On Mon, 2004-10-25 at 13:42, Matias FĂ©liciano wrote:
[snip]
By not signing their rpm in rawhide, Red Hat "force" me to
take risk
(fake rpm, ...) for _nothing_. I don't want to take these risks.
With this statement, along with Ian Pilcher's last post to this
thread, perhaps I should shut up about it, since, in essence, I'm in
violent agreement with both of you ;-).
But, I tend to agree with what someone posted about packages signed
with keys that are not password protected being only marginally better
than packages not signed at all.
I think it was actually in Bruce Schneier's Cryptogram that I read the
statement, paraphrased, that if it's worth protecting at all, then it's
worth having a password that must be typed (in reference to web server
certificates, but the principle is the same).
So, since I haven't seen any proposals, yet, for how to make sure
packages are signed, without using password-less keys, how about this
idea: Have more than one signing key for *develpment packages only*,
named RPM-GPG-KEY-fedora-test-arjanv, RPM-GPG-KEY-fedora-test-alan,
RPM-GPG-KEY-test-davej, etc, etc. Give it enough spread across Red Hat
to give better odds that at least one of the signers will always be
available. Shot in the dark: maybe five signers? Rotate signing
responsibility on a weekly basis, maybe? This maybe a good prep for
allowing more community participation as well, giving a few outsiders
signing rights with a public key in /usr/share/rhn. That's the hope,
anyhow, since I suspect it may be a problem for Red Hat to give internal
Red Hat folks *more* responsibility in regards to Fedora Core.
Anyhow, I figured I just throw that out there as idea just off the top
of my head.
Thoughts?
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets