Should Fedora rpms be signed?

Satish Balay balay at fastmail.fm
Mon Nov 1 23:54:22 UTC 2004 

Jeff,

your replies from gmail appear to send 2 e-mails - with the following
headers (causing me some confusion here)

1: without cc:fedora-test-list
2: with cc:fedora-test-list 

Hence resending this reply to the list.

Satish

On Mon, 1 Nov 2004, Satish Balay wrote:

> 
> 
> On Mon, 1 Nov 2004, Jeff Spaleta wrote:
> 
> > On Mon, 1 Nov 2004 14:51:34 -0600 (CST), Satish Balay <balay at fastmail.fm> wrote:
> > > And as Matias already pointed out - lets not mix QA perception with
> > > 'signature'.
> > 
> > 
> > I'm not.. i havent talked about QA at all. I'm talking about "trust"
> > as defined in mature pgp/gpg implementations. Would you like
> > references that talk about the trust metric inherent in something like gnupg?
> > I'm saying that comparing packaging signing as implemented inside the
> > rpm to general purpose gpg signing using gnupg is a somewhat apples to
> > oranges discussion, and that the principles associated with general
> > purpose gpg usage using an implementation like gnupg can not be mapped
> > over to rpm's signing implementation without acknowledgment that rpm's
> > lack of that inherent "trust" metric has greatly impacted what rpm
> > package signing has meant historically.  Changing the meaning now,
> > simply by changing documentation isn't good enough for me. I believe
> > the web-of-trust concept is a vital part of a full gpg implementation,
> > and that historically the lack of a web-of-trust metric has meant that
> > signed packages have been used both for shallow verification and as an
> > inherent measure of "trust".  Once there is an inherent "trust" metric
> > respect of signed keys inside rpm, many of my concerns would be
> > addressed.  I encourage you to read up on how gnupg( aka gpg)
> > calculates its trust database.... it has nothing to do with QA.
> 
> 
> Long statements spin my head.
> 
> You say:
> 
> - rpm's package signing is not same as 'gnupg' signing
> - the big difference is 'trust' mechanism (there is none for rpm)
> - there is an inherent 'trust' in rpm signed packages due the absence of other proper means.
> - signing rawhide breaks this inherent trust.
> - rpm implementing web-of-trust is the solution.
> 
> I'm not much famililar with gnupg (just ssh keys) - so I keep thinking
> - the 'trust' mechanism' of gnupg is primarily to validate 'public'
> keys.
> 
> I still don't understand how you get the extra security of 'inherent'
> trust' - and how 'rahide signed' pacakges (with a different key)
> breaks this. The public keys are what I trust - and I'd like to use
> each key differently.
> 
> Satish
>

More information about the test mailing list