Should Fedora rpms be signed?

Thu Nov 4 22:25:25 UTC 2004

On Thu, 2004-11-04 at 15:02 -0600, Satish Balay wrote:
> On Thu, 4 Nov 2004, Peter Jones wrote:
> 
> > Signing something with the Red Hat key and signing something with the
> > Rawhide key are currently _the same thing_, and no amount of telling
> > people that it's not is going to change that.
> 
> (I didn't want to get sucked into this again - but couldn't
> resist.. this tread never dies).
> 
> I hope you can give pointed answers to these 2 questions.
> 
> 1. If 'Red Hat key' == 'Rawhide key' - why do you have both?

I think it's horribly ill-conceived that we have both.  That is, we have
both because people have fallen into this mistake.

> 2. How does packages signed by 'at-rpms-key' fit in your grad model
> where all keys are the same - and users don't know how to distinguish
> them.

Both models have the keys being the same.  One has people refusing to
acknowledge this.

The current model is that they're all the same.  Look at our tools; look
at yum and up2date.  They don't know anything about which key is which,
just which key you've said you trust (not even what you trust it for, or
how much).  The only real difference, and certainly the only one in the
minds of the vast majority of our users, is that one comes in rpm's key
list by default and one does not.

The better question is how one of Axel's package fits into the model
Nils insists exists.  The only possible answer is that it doesn't fit
very well at all.  How do I know what Axel means by his signature on his
packages?  I have no idea, and I don't know where to look to found out,
either.  I suppose I could email him, but that certainly doesn't scale
to a 4th or 5th key very reasonably, much less any more than that.

My model is that the signature is more than just a gpg signature.
Conceptually, it's a signature on a certificate with data that specifies
exactly which ways the package may be trusted.  One could actually
implement it that way, which I think we should, but it's some
significant effort.

The specific proposal here was that when you *don't* mean the things
that people infer from a signed package, don't sign the package.  If all
we mean is that it's not damaged or tampered with, sign the metadata
instead.  Seth's metadata proposal (which I believe he's largely
implemented) already has the format for this in place.  In this case the
package is one certificate as mentioned above, and the metadata is
another.  What the package signature actually means is obviously up for
some debate, but we can certainly find plenty of examples where people
think it means more than just lack of corruption.

>  Or should no one other than 'Redhat' be signing packages.

With a model where we recognize the meaning from the key, this is
implied, though not necessarily intentionally.  With my model, it is
not.
-- 
        Peter

When privacy is outlawed only outlaws will have privacy.
                -- Zimmermann