Should Fedora rpms be signed?

Satish Balay balay at fastmail.fm
Mon Nov 1 18:58:22 UTC 2004 


On Mon, 1 Nov 2004, Peter Jones wrote:

<snip>

> It says that we intended to release it in a form that is fit to be used.

I don't see any problem with this reasoning for rawhide. 'form that is
fit to be used' here would imply 'testing'.


> (Although clearly it does not imply any warranty, including the implied
> warranties of merchantability and fitness for a particular purpose ;)
> 
> It says we believe that the actual data in the package headers -- the
> scriptlets, the triggers, the conflicts, the provides, etc. -- are of a
> quality that Fedora believes is sufficient for release.

rawhide is not a release - so no one will confuse signed packages in
rawhide as 'release quality' - and won't eat 'data'. - so no conflict
here.

>  These things are Red Hat's and Fedora's value add, and a signature
> says that we believe we've actually added value.

Yes - no conflict here. (there is value added in rawhide)

> It also conveys that some packager whom we trust has looked over the
> payload and does not consider its contents to be *hostile* to our users.

This is the primary point of difference. Personally - I'd like to know
EXACTLY whats done by the package signer to gaurentee 'no' tampering
'anywhere'. (source/binary/process). My contention is - not much
difference other than a 'cursory' check.

> Consider RHEL errata.  When RH releases an erratum, the signature
> doesn't just say "this is some package from Red Hat".  It says that
> you can use the signature, combined with the checksums and the data
> in the erratum.  For what can they be used?

No one confuses RHEL errata with Fedora errata - or with
rawhide. (none of them are interchangable). So there is no conflict of
concepts on signing on this pont (wrt rawhide).

> You should already know the answer here.  What the signature
> provides is a way to verify Red Hat's intent and belief that the
> package in the user's hands does actually fix the problems described
> in the erratum, and to some (lesser) extent that it does not
> introduce more problems

No confusion here either - as rawhide packages are never mistaken for
erratum packages.

And each branch (RHEL/fedora/rawhide) should have its own differnet
gpg-keys anyway.

Satish

More information about the test mailing list