EPEL repo signing [was Re: Python 3 for 7?]

Matthew Miller mattdm at fedoraproject.org
Mon Jan 20 14:11:48 UTC 2014 

On Fri, Jan 17, 2014 at 03:42:34PM -0700, Kevin Fenzi wrote:
> > My thoughts are these (in no particular order).
> >  * Treat this branch like Rawhide. All builds targeted at this are
> > composed to a repo. Signing is nice, but not mandatory in my opinion.
> It's pretty much impossible to sign rawhide style repos. ;) 

I don't think that's the case. It does affect what sigificance / level of
trust is attached to the signature, though. Signing which happens as part of
the build process asserts that _this package came through our build system_.
(And implicitly, that we think the build system isn't compromised.)

That's less of a strong guarantee than "a human inspected this package and
asserts that ________", with _______ being whatever human verification is
done. It's my undertand that right now, the signing process actually doesn't
make a very strong assertion at all -- it is roughly "a human ran a script
to take output from the area where the build system is expected to put it,
and this is that output". Correct me if I'm wrong!

This is somewhat more secure than signing _in_ the build system because the
signing key is more protected, but could potentially introduce another
avenue of attack (between buildsystem output and signing). If the build
system is compromised in a way that isn't detected, compromised output would
likely get signed anyway, right? It's not much of a stronger assertion than
the auto-signed one.

Doing anything much greater involves human time with each package, and
that's really expensive. Since I don't think we are likely to get the
funding to do that, and since being able to make the _basic_ assertion for
all of our devel/rawhide packages would be quite valuable, I think we should
aim for doing it. (Whether it should replace or just supplement the current
signing process, I don't have a really strong opinion on, although I'm in
general in favor of more automation and less work which depends on
intervention from specially-privileged humans, because that can become a
bottleneck.)

-- 
Matthew Miller    --   Fedora Project    --    <mattdm at fedoraproject.org>

More information about the epel-devel mailing list