Rawhide

Kevin Fenzi kevin at scrye.com
Mon Nov 5 18:32:07 UTC 2012


On Mon, 5 Nov 2012 18:55:51 +0100
Till Maas <opensource at till.name> wrote:

> Rawhide is not intended to be used for anything important and with any
> security sensitive data because the used packages are not signed.
> Whenever I asked to get Rawhide packages signed I was also told that
> it is, because of Rawhide's use case. Everybody using Rawhide for
> example to maintainer Fedora packages is endangering the Fedora
> project.

I am pretty sure there was a plan to make koji sign packages. I don't
know what the status of it is however. 

I would personally love to see koji sign all official builds with a
"This was built in koji" key. 

> Nevertheless, I still believe it would be better if Fedora started to
> provide signed packages directly from Koji including Rawhide to end
> this problem. 

I agree. Any koji folks have any ideas on the status of this feature
request? 

Oh look: 
https://fedorahosted.org/koji/ticket/203

Looks like there are patches there... anyone able to test or provide
more feedback to get it moving?

> But looking at the current fedup code it seems that
> Fedora is going to be the first distribution that abandons package
> security more and more instead of trying to improve it. As far as I
> know starting with preupgrade doing insecure updates were promoted
> and now they are going to be made mandatory (except for the
> unsupported yum update method).

Please file bugs/patches? 

I'd like fedup to verify packages if it doesnt already. I'm sure others
would too. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121105/66ac15a8/attachment.sig>


More information about the devel mailing list