icecat or/and firefox?

poma pomidorabelisima at
Mon Jan 27 19:41:35 UTC 2014

On 27.01.2014 20:28, Andrew Lutomirski wrote:
> On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima at> wrote:
>> On 27.01.2014 19:52, Kevin Fenzi wrote:
>>> copr has no provision currently to sign packages.
>>> I think it's on the todo list, but it will not be easy to implement in
>>> a secure way.
>> Ouch!
> I'm skeptical about the whole package-signing thing.  Why don't we
> sign repository metadata and have that metadata store hashes of the
> appropriate packages?  Then adding a key for a repository wouldn't
> magically allow that key to sign packages claiming to come from a
> different repository.  It would also prevent various
> replay-old-package attacks.
> Configuration could be simpler, too:
> [some-copr-repo]
> name=Name
> metalink=whatever
> metalink_key=[private key, specified right here]
> gpgcheck=0
> I doubt that GPG's keyring concepts or web-of-trust stuff add any
> security whatsoever to things like rpm and yum.  They do, however,
> make configuration unnecessarily arcane.

We shouldn't change so easily tried and tested methods just because you
"doubt". :)


More information about the devel mailing list