warning to list

[Alexandre Oliva]

On Oct 25, 2004, Ian Pilcher <i.pilcher at comcast.net> wrote:

> I must admit that I don't understand why its even *possible* for an
> unsigned package to make its way into any official up2date repository.

rawhide isn't an up2date repository.  It's just a dump of the latest
builds of every package in the Red Hat build system, started by cron
at a fixed time in very early morning when there's nobody around to
sign packages that developers hacked on all night.  Sure enough, one
could add an automated signature to such packages, but this only means
such a signature would be worth nothing, for being generated with a
key not protected by a passphrase, stored on a box not exactly secure.
E.g., if the automated rawhide build procedure could get into it to
sign packages, without any password-protected authentication, what is
this signature worth?

> Common sense would seem to dictate the use of some type of simple script
> to move packages from a "staging" directory into the repository; signing
> the package should be part of this process, not something that Red Hat
> developers have to do manually.

'fraid your common sense is not in line with common sense in terms of
good security practices.


Sure enough, the rawhide build could refrain from using unsigned
packages, but the point of rawhide is to provide people with the
latest packages for testing.  The 24-hour turn-around time is
sometimes too long already; adding the need for one of the few people
who actually have access to the signing keys to be around to sign them
would probably just increase the turn-around time.  You just can't
have it both ways.  (ok, you could: there could be one repository with
only signed packages, and one with the really latest stuff even if
unsigned, but...  36GB/day is bad enough)

-- 
Alexandre Oliva             http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}