icecat or/and firefox?
poma
pomidorabelisima at gmail.com
Mon Jan 27 19:41:35 UTC 2014
On 27.01.2014 20:28, Andrew Lutomirski wrote:
> On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima at gmail.com> wrote:
>> On 27.01.2014 19:52, Kevin Fenzi wrote:
>>
>>> copr has no provision currently to sign packages.
>>>
>>> I think it's on the todo list, but it will not be easy to implement in
>>> a secure way.
>>
>> Ouch!
>>
>
> I'm skeptical about the whole package-signing thing. Why don't we
> sign repository metadata and have that metadata store hashes of the
> appropriate packages? Then adding a key for a repository wouldn't
> magically allow that key to sign packages claiming to come from a
> different repository. It would also prevent various
> replay-old-package attacks.
>
> Configuration could be simpler, too:
>
> [some-copr-repo]
> name=Name
> metalink=whatever
> metalink_key=[private key, specified right here]
> gpgcheck=0
>
> I doubt that GPG's keyring concepts or web-of-trust stuff add any
> security whatsoever to things like rpm and yum. They do, however,
> make configuration unnecessarily arcane.
We shouldn't change so easily tried and tested methods just because you
"doubt". :)
Ouch[2]!
poma
More information about the devel
mailing list