Signed packages = _secure_ authentication of origin and not a policy (was: Should Fedora rpms be signed?)

Axel Thimm Axel.Thimm at ATrpms.net
Fri Nov 5 09:50:28 UTC 2004 

On Fri, Nov 05, 2004 at 12:34:32AM -0600, Satish Balay wrote:
> On Thu, 4 Nov 2004, Peter Jones wrote:
> > My model is that the signature is more than just a gpg signature.
> > Conceptually, it's a signature on a certificate with data that
> > specifies exactly which ways the package may be trusted.  One
> > could actually implement it that way, which I think we should, but
> > it's some significant effort.

A signature is a signature, nothing more. You are talking about
policies, which are orthogonal to signing. Red Hat has policies,
ATrpms has policies, every repo has one, and they may partly
overlap. But you cannot (should not) deduce a policy from a signature.

The only thing IMHO a signature should be doing is to ensure the
package origin is from the key-holder of the package, nothing more. It
is a security, not policy entity.

> Yeah - but we don't have that right now. The thing we are debating is
> - why signing 'rawhide' with gpg key is wrong.

Signing rawhide packages is not only right, but highly required. I
want to know whether mirror XYZ has untampered packages. If the
package is signed by the trusted Red Hat keys, I don't need to check
or care about mirror trusts. Unsigned packages on an insecure mirror
would go unnoticed if modified.

This mail is signed for the very same reason. There is no policy
behind signing my mail, other than ensuring noone can tamper with the
contents or send (signed) mails on my behalf.

> > The specific proposal here was that when you *don't* mean the things
> > that people infer from a signed package, don't sign the package. 
> 
> You mean Axel, Dag should't sign the packages they
> distribute. (because that would imply its equally trustworthy as
> redhat-certified)
> 
> And according to your model - If I were to distribure signed/unsigned
> packages - the expection for unsigned is different(can eat data) - but
> signed is different (extremely stable)

I'd say unsigned packages are just insecure, so they are also
unstable. OK ;)
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041105/afeff49d/attachment.bin

More information about the test mailing list