icecat or/and firefox?
Andrew Lutomirski
luto at mit.edu
Mon Jan 27 19:28:46 UTC 2014
On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima at gmail.com> wrote:
> On 27.01.2014 19:52, Kevin Fenzi wrote:
>
>> copr has no provision currently to sign packages.
>>
>> I think it's on the todo list, but it will not be easy to implement in
>> a secure way.
>
> Ouch!
>
I'm skeptical about the whole package-signing thing. Why don't we
sign repository metadata and have that metadata store hashes of the
appropriate packages? Then adding a key for a repository wouldn't
magically allow that key to sign packages claiming to come from a
different repository. It would also prevent various
replay-old-package attacks.
Configuration could be simpler, too:
[some-copr-repo]
name=Name
metalink=whatever
metalink_key=[private key, specified right here]
gpgcheck=0
I doubt that GPG's keyring concepts or web-of-trust stuff add any
security whatsoever to things like rpm and yum. They do, however,
make configuration unnecessarily arcane.
--Andy
More information about the devel
mailing list