Should Fedora rpms be signed?

Jeff Spaleta jspaleta at gmail.com
Mon Nov 1 20:14:02 UTC 2004


On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay <balay at fastmail.fm> wrote:
> But unless you are saing: somehow the current non-gpg-signed packages
> are preventing such folks from doing the wrong things (listed above) -
> and 'gpg-singing' encourages them to do them - your text adds no
> substance to the discussion.

Fine ill repeat myself...again.

Yes... i firmly believe...that long term... as tools become more
signature aware and tools become more demanding that signatures be
present on consumable rpms, that signing throw away packages like
rawhide packages encourages people to use those packages out of
context, and encourages people to store individual rawhide packages
for later use on other systems, instead of encouraging people to using
a full rawhide collection.

We can argue about the techical definition of what gpg-signing
means...as originally conceived in the pgp/gpg methodogy, but is a
pointless thing to discuss... in the context of rpm package signing.
rpm package signing is NOT a full implementation of a gpg/pgp signing
system. rpm's lack of understanding of what a signed key is, greatly
impacts "trust"
as a quantifiable concept..and automatically elevates all signd
packages to the same "trust" status. Whereas mature general use
gpg/pgp implementations know what a sign signature means, and how to
calculate "trust" from signatures on keys. If you trust me, and i sign
someone elses key, that key earns a measure of trust from my
signature. gnupg understands this concept of the web of trust.. rpm
does not...that is significant in the context of how rpm package
sining has been used so far. Because there is a lack of trust metric
in rpm's implementation, packaging signing..by vendors..has
historically meant more than prescribed by a general  gpg methodology
definition of signing.   This isn't a matter of one or two really
really stupid users doing something really really stupid. This is a
matter of common peception as to what signing a package means, and
what vendors has historically wanted people to think signing a package
means... in the context of rpm's implementation of signing and not in
the context of gnupg's or pgp's general purpose implementation.  And I
argue that historically... rpm package signing has meant more than
"built on this host" and that many vendors including Red Hat have
meant it to mean more than "built on this host."  And i will argue
that until rpm get support for the trust metric concept using signed
keys, signing rawhide packages encourages people to "trust" rawhide
packages. Where "trust" is a quantifiable measurement based on key
signatures.

-jef




More information about the test mailing list