icecat or/and firefox?

Andrew Lutomirski luto at
Mon Jan 27 19:28:46 UTC 2014

On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima at> wrote:
> On 27.01.2014 19:52, Kevin Fenzi wrote:
>> copr has no provision currently to sign packages.
>> I think it's on the todo list, but it will not be easy to implement in
>> a secure way.
> Ouch!

I'm skeptical about the whole package-signing thing.  Why don't we
sign repository metadata and have that metadata store hashes of the
appropriate packages?  Then adding a key for a repository wouldn't
magically allow that key to sign packages claiming to come from a
different repository.  It would also prevent various
replay-old-package attacks.

Configuration could be simpler, too:

metalink_key=[private key, specified right here]

I doubt that GPG's keyring concepts or web-of-trust stuff add any
security whatsoever to things like rpm and yum.  They do, however,
make configuration unnecessarily arcane.


More information about the devel mailing list