Should Fedora rpms be signed?

Peter Jones pjones at redhat.com
Thu Nov 4 22:12:03 UTC 2004 

On Thu, 2004-11-04 at 11:33 +0100, Nils Philippsen wrote:
> On Mon, 2004-11-01 at 18:50 -0500, Peter Jones wrote:
> > On Mon, 2004-11-01 at 17:34 -0600, Satish Balay wrote:
> > > Ok - you & Seth seem to have a solution to the problem.
> > > 
> > > Still no good explanation why ALL keys should be treated the same.
> > 
> > Because there's nothing about a key that tells you how to treat it.
> 
> Exactly. There's where "common sense" comes into play, i.e. I shouldn't
> enable Rawhide repositories if a broken system makes me cry.

We're not just talking about rawhide.  We're talking about Axil's repo,
and Matthais's repo, and the cdparanoia repo on my people.redhat.com
site, and the repo on Seth's website.

There is no common sense answer to "I have 40 keys signing things and
none of them specify what the signature means".

Quit thinking that we're talking about one key.  We're talking about
many.

> Let's face it, currently a signed package only means "someone/-thing has
> signed off on it" on a technical level, anything else is just what we
> humans put into it and nothing tools can guess by themselves. I.e. we
> can only differentiate between "keys we trust" on a certain system by
> either putting them into yum.conf/sources or not. Everything beyond that
> would need infrastructure that currently doesn't exist.

Yes, anything beyond that needs infrastructure that doesn't currently
exist.  Currently yum and up2date take signatures to mean something
beyond that, and they take all signatures in rpm's to equally in this
regard.  That means we need infrastructure beyond looking at the key and
guessing wildly what a signature by it means.

yum and up2date interpret a specific meaning for a package signature: if
the key is known to rpm, a valid signature means the package was
transmitted as intended from the signer.

It's not even very difficult infrastructure to make (at least in the
most naive form), but so far you've objected to nothing except my
premise that people don't know what a signature means, which you now
seem to agree with.  What gives?

-- 
        Peter

More information about the test mailing list