your replies from gmail appear to send 2 e-mails - with the following
headers (causing me some confusion here)
1: without cc:fedora-test-list
2: with cc:fedora-test-list
Hence resending this reply to the list.
On Mon, 1 Nov 2004, Satish Balay wrote:
On Mon, 1 Nov 2004, Jeff Spaleta wrote:
> On Mon, 1 Nov 2004 14:51:34 -0600 (CST), Satish Balay <balay(a)fastmail.fm>
> > And as Matias already pointed out - lets not mix QA perception with
> > 'signature'.
> I'm not.. i havent talked about QA at all. I'm talking about
> as defined in mature pgp/gpg implementations. Would you like
> references that talk about the trust metric inherent in something like gnupg?
> I'm saying that comparing packaging signing as implemented inside the
> rpm to general purpose gpg signing using gnupg is a somewhat apples to
> oranges discussion, and that the principles associated with general
> purpose gpg usage using an implementation like gnupg can not be mapped
> over to rpm's signing implementation without acknowledgment that rpm's
> lack of that inherent "trust" metric has greatly impacted what rpm
> package signing has meant historically. Changing the meaning now,
> simply by changing documentation isn't good enough for me. I believe
> the web-of-trust concept is a vital part of a full gpg implementation,
> and that historically the lack of a web-of-trust metric has meant that
> signed packages have been used both for shallow verification and as an
> inherent measure of "trust". Once there is an inherent "trust"
> respect of signed keys inside rpm, many of my concerns would be
> addressed. I encourage you to read up on how gnupg( aka gpg)
> calculates its trust database.... it has nothing to do with QA.
Long statements spin my head.
- rpm's package signing is not same as 'gnupg' signing
- the big difference is 'trust' mechanism (there is none for rpm)
- there is an inherent 'trust' in rpm signed packages due the absence of other
- signing rawhide breaks this inherent trust.
- rpm implementing web-of-trust is the solution.
I'm not much famililar with gnupg (just ssh keys) - so I keep thinking
- the 'trust' mechanism' of gnupg is primarily to validate 'public'
I still don't understand how you get the extra security of 'inherent'
trust' - and how 'rahide signed' pacakges (with a different key)
breaks this. The public keys are what I trust - and I'd like to use
each key differently.