Le lundi 01 novembre 2004 à 15:14 -0500, Jeff Spaleta a écrit :
We can argue about the techical definition of what gpg-signing
means...as originally conceived in the pgp/gpg methodogy, but is a
pointless thing to discuss... in the context of rpm package signing.
rpm package signing is NOT a full implementation of a gpg/pgp signing
system. rpm's lack of understanding of what a signed key is, greatly
impacts "trust"
as a quantifiable concept..and automatically elevates all signd
packages to the same "trust" status.
The "trust" in gpg, only define the trust about the origin of the key !
_NEVER_ a key will define the "trust" you should put on a package. A
signed package tell the origin of the package. The origin of the package
(with some documentations (QA), reputation of the provider, friend's
advices, ...) tell you if you would take the risk (or not) to install
the package on you system. The decision to install the package, is up to
you. Not to gpg.
You can fully trust my gpg key (because my friends sign my key and you
know my friends), but you should not trust me if I say you : "please,
enter 'rm -r -f /' as root" :-)
The trust in gpg is not an indicator of quality or intelligence.
Whereas mature general use
gpg/pgp implementations know what a sign signature means, and how to
calculate "trust" from signatures on keys. If you trust me, and i sign
someone elses key, that key earns a measure of trust from my
signature. gnupg understands this concept of the web of trust.. rpm
does not...
Use something like :
$ gpg --refresh-keys --keyserver
pgp.mit.edu
[...]
$ LANG=C rpm -K -v udev-039-6.i386.rpm | sed -n -e "s/.*Header.*
\([[:alnum:]]\+\)$/\1/p" | xargs gpg --list-key -v
pub 1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora(a)redhat.com>
sig 3 4F2A6FD2 2003-10-27 Fedora Project <fedora(a)redhat.com>
sig 3 DB42A60E 2003-10-27 Red Hat, Inc <security(a)redhat.com>
sig 8DF56D05 2003-10-28 Fedora Linux (RPMS) <security(a)fedora.us>
sig 3 D1C76C53 2004-04-26 Féliciano Matias (normal)
<feliciano.matias(a)free.fr>
sig 11E60E88 2004-08-07 [Nom utilisateur introuvable]
sig 003E1D9D 2004-08-07 [Nom utilisateur introuvable]
sig FAF6AFE3 2004-08-07 [Nom utilisateur introuvable]
sig 2A74F90D 2004-08-07 [Nom utilisateur introuvable]
sig 7BAC7F6C 2004-10-23 [Nom utilisateur introuvable]
sig 2 CF4655CF 2003-12-15 [Nom utilisateur introuvable]
sig 2 BE950472 2004-05-17 [Nom utilisateur introuvable]
sig 3 BB4B29A7 2003-12-03 [Nom utilisateur introuvable]
sig 3 A8F02EF5 2004-10-21 [Nom utilisateur introuvable]
sig 3 D950C647 2004-01-20 [Nom utilisateur introuvable]
sig 3 02FF71B2 2004-02-15 [Nom utilisateur introuvable]
sig 3 ADD4C933 2004-02-21 [Nom utilisateur introuvable]
sig 3 8B415BA9 2004-03-29 [Nom utilisateur introuvable]
sig 3 DC29E554 2004-03-29 [Nom utilisateur introuvable]
sig 3 R A403ECA0 2004-02-23 [Nom utilisateur introuvable]
sub 1024g/FB939E34 2003-10-27
sig 4F2A6FD2 2003-10-27 Fedora Project <fedora(a)redhat.com>
Well, I have a little gpg keyring.
This only say :
- I can trust the origin of the key and then the origin of the package.
Nothing else.
Suppose I ran this command under RHEL 2.1. Should I install udev on RHEL
2.1 ?
that is significant in the context of how rpm package
sining has been used so far. Because there is a lack of trust metric
in rpm's implementation, packaging signing..by vendors..has
historically meant more than prescribed by a general gpg methodology
definition of signing.
The vendor : trust own solution for mission-critical, because ..., because...
The client : I trust you because ..., because ...
The vendor : Get the product (package) here.
The client : How can I be sure this package come from you ?
The vendor : The package is signed with own key. Own key is signed on
pgp.mit.edu by other people.
NB : The client trust the vendor as a provider of mission-critical
solution, _before_ using any signature.
This isn't a matter of one or two really
really stupid users doing something really really stupid. This is a
matter of common peception as to what signing a package means,
What is this "common perception" ?
People trust RHEL for mission-critical server but they don't trust
Fedora for mission-critical.
However Fedora _and_ RHEL have signed rpm.
and
what vendors has historically wanted people to think signing a package
means... in the context of rpm's implementation of signing and not in
the context of gnupg's or pgp's general purpose implementation. And I
argue that historically... rpm package signing has meant more than
"built on this host" and that many vendors including Red Hat have
meant it to mean more than "built on this host." And i will argue
that until rpm get support for the trust metric concept using signed
keys, signing rawhide packages encourages people to "trust" rawhide
packages.
"trust" me, rawhide is full of bugs. We don't any "metric concept
using
signed keys" to know that.
Where "trust" is a quantifiable measurement based on key
signatures.
-jef