Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Mon Nov 1 20:51:34 UTC 2004
On Mon, 1 Nov 2004, Jeff Spaleta wrote:
> On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay <balay at fastmail.fm> wrote:
> > But unless you are saing: somehow the current non-gpg-signed packages
> > are preventing such folks from doing the wrong things (listed above) -
> > and 'gpg-singing' encourages them to do them - your text adds no
> > substance to the discussion.
>
> Fine ill repeat myself...again.
>
> Yes... i firmly believe...that long term... as tools become more
> signature aware and tools become more demanding that signatures be
> present on consumable rpms, that signing throw away packages like
> rawhide packages encourages people to use those packages out of
> context, and encourages people to store individual rawhide packages
> for later use on other systems, instead of encouraging people to using
> a full rawhide collection.
I (as a clueless user) can do the same thing with unsigned
packages. gpg doesn't encourage anything new to the clueless user.
>
> We can argue about the techical definition of what gpg-signing
> means.
lets not
> This is a matter of common peception as to what signing a package
> means, and what vendors has historically wanted people to think
> signing a package means... in the context of rpm's implementation of
> signing and not in the context of gnupg's or pgp's general purpose
> implementation. And I argue that historically... rpm package
> signing has meant more than "built on this host" and that many
> vendors including Red Hat have meant it to mean more than "built on
> this host." And i will argue that until rpm get support for the
> trust metric concept using signed keys, signing rawhide packages
> encourages people to "trust" rawhide packages. Where "trust" is a
> quantifiable measurement based on key signatures. -jef
- Here the assumption is: EVERONE's perception about gpg-signed rpms
(or rawhide) is the same.
- And perception is no excuse for proper documentaion.
- There will always be wrong assumptions by users. This doesn't equate
to not signing-rawhide-packages. [And documenting it]
And as Matias already pointed out - lets not mix QA perception with
'signature'.
Satish
More information about the test
mailing list