Rawhide

[Dennis Gilmore]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El Mon, 5 Nov 2012 11:32:07 -0700
Kevin Fenzi <kevin at scrye.com> escribió:
> On Mon, 5 Nov 2012 18:55:51 +0100
> Till Maas <opensource at till.name> wrote:
> 
> > Rawhide is not intended to be used for anything important and with
> > any security sensitive data because the used packages are not
> > signed. Whenever I asked to get Rawhide packages signed I was also
> > told that it is, because of Rawhide's use case. Everybody using
> > Rawhide for example to maintainer Fedora packages is endangering
> > the Fedora project.
> 
> I am pretty sure there was a plan to make koji sign packages. I don't
> know what the status of it is however. 

No one is working on it at all. Im actually kind of against the idea.
as things currently stand we would instantly double the disk we need
for /mnt/koji all the key would give us is a yes this build was done as
a real build in koji. the security of the gpg key would be less since
we need to have automated processes able to access the key. the value
of the signed rpm is less.  it also opens up another attack vector that
"could" be exploited.  we would need to sign the metadata or still
resign all the rpms which each has associated costs. signing the
metadata means someone will need to manually do it at the end of a
package push process. in the case of branched or rawhide if we signed
its metadata could be hours until someone wakes up to sign the
metadata. or changing when the runs happen. so that it lands later. 

to me the big issue becomes we cant trust the key as much, since its
either open or the password to unlock it is stored in plain text
somewhere so that it can be unlocked  or rpms automatically signed. the
only way to really have it work right would reduce the security and
trust in the key. all we would gain is a way to distinguish an offical
build vs a scratch build in koji or a build someone did to mimic our
environment.

> I would personally love to see koji sign all official builds with a
> "This was built in koji" key. 
> 
> > Nevertheless, I still believe it would be better if Fedora started
> > to provide signed packages directly from Koji including Rawhide to
> > end this problem. 
> 
> I agree. Any koji folks have any ideas on the status of this feature
> request? 
> 
> Oh look: 
> https://fedorahosted.org/koji/ticket/203
> 
> Looks like there are patches there... anyone able to test or provide
> more feedback to get it moving?

AFAIK the patches are not at all tested, ive not looked to see if it
would mean we end up using twice the disk we use today or not. it would
also prevent the ability to reclaim disk by purging the signed copy of
the rpm easily. since all rpms would be signed with the same key. we
then would need to either not have our gpg keys expire  or have
processes to resign everything and  switch over to new keys or some
other transitiion method.

> > But looking at the current fedup code it seems that
> > Fedora is going to be the first distribution that abandons package
> > security more and more instead of trying to improve it. As far as I
> > know starting with preupgrade doing insecure updates were promoted
> > and now they are going to be made mandatory (except for the
> > unsupported yum update method).
> 
> Please file bugs/patches? 
> 
> I'd like fedup to verify packages if it doesnt already. I'm sure
> others would too. 
I would think that fedup should force the verification of packages. as
long as its not rawhide they are all signed and can be verified.

Dennis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlCYl4EACgkQkSxm47BaWfeK4gCfTZFs9k1cJscCVJuaElPe5jFK
9oMAoK1xnwjEx9kQdQFt7XHKHcaNTd74
=52Ak
-----END PGP SIGNATURE-----