warning to list

Matias Féliciano feliciano.matias at free.fr
Tue Oct 26 15:48:47 UTC 2004 

Le mardi 26 octobre 2004 à 10:47 -0300, Alexandre Oliva a écrit : 
> On Oct 25, 2004, Matias Féliciano <feliciano.matias at free.fr> wrote:
> 
> > Do you mean that RHEL does not have its owner Rawhide during beta
> > cycle ?
> 
> I think that's a RHN repository, which certainly goes through more
> scrutiny.  I may be wrong on this, I'm more of a Fedora-tracking
> person myself.
> 

Interesting. It's better to be a RHEL tester than a Fedora tester.
Bad to learn this because RHEL is _based_ on FC.
Better is FC, better will be RHEL.

> >> It's just a dump of the latest
> >> builds of every package in the Red Hat build system
> 
> > To be honest, I am not surprised :-)
> 
> Why would you be?  That's exactly what it has always been.  Has anyone
> ever implied it to be anything different?

Fine. No problem with this.
Explain me these two points from Red Hat : 
- test Fedora release are not for mission-critical so there is no need of signed rpm
and 
- beta RHEL release are not for mission-critical but we only provide signed rpm

Why ?

Is signed rpm also useless for RHEL beta ?
If it's useless, stop signing (manually or not) RHEL beta packages.

> 
> > Signed rpm mean : You can verify the "origin" of the package.
> 
> Yeah.  If it's signed automatically, upon request from some random (or
> even specific) machine without interactive password authentication, it
> means the signature is not worth much.
> 
> > pub  1024D/1CDDBCA9 2003-10-27 Fedora Project automated build signing key (2003) <rawhide at redhat.com>
> 
> This signature is actually manual.  One of the few people who control
> the keys has to be there to put it there.

OK. And what they do ?
They enter the passphrase and go take a coffee. This is not valuable.
This can be done with expect.
If the build system (or whatever it is) is cracked, the passphrase can
be snipped. In all case signing require a secure system !

http://www.gnupg.org/gph/en/manual.html
        if your private key is compromised or lost, this revocation
        certificate may be published to notify others that the public
        key should no longer be used.

Passphrase protected or not, you should revoke the key.

> 
> >> for being generated with a
> >> key not protected by a passphrase, stored on a box not exactly secure.
> 
> > Sorry, but it's Red Hat/Fedora concern.
> > I am surprise to learn that Red Hat is not able to set up a secure box
> > only to automatically sign package.
> 
> Nobody is.  One could think it's secure, but as soon as there's a
> break in, security assumptions break down, and then, the safer the
> keys are, the better.

Yes. But automated signing is better than nothing.

> 
> > You can not say "signed rpm is not valuable" because "build server is
> > not secure".
> > Add to your TODO list :
> > - first : Secure build server
> > - second : Add an automated signature
> 
> You're mixing things up here.  It is (IIUC) sufficiently secure.
> Opening up a hole to enable automated signatures wouldn't make it any
> more secure; it would actually only reduce the value of such a
> signature.
> 
> > Without signed rpm, *each* mirror can content a trojan ...
> > Each mirror should be secure.
> > With signed rpm, _only_ the build system should be secure.
> 
> No disagreement here.  Looks like what you want is something other
> than rawhide.  You want something that has undergone manual signing.

Manual signing or not, I don't care. Seems Red Hat try to push people to
RHEL BETA (ok, sound like FUD).

> 
> > AFAIK, all beta packages of RHEL are signed.
> 
> So are all Fedora packages in Fedora Test releases.
> 
> I suppose RHEL's equivalent of the Fedora Core Development tree,
> should it actually be a RHN channel as I believe it is, may be subject
> to RHN's requirements, which probably includes package signing.  This
> means it's not latest-and-greatest, but rather
> latest-and-greatest-that-already-got-signed.
> 
> > gpg is not a QA. gpg is "only" for security and authentication propose.
> 
> And if it's signed with a key that's not protected with a passphrase,
> you're not supposed to trust the key anyway, so what is it worth?
> 
>   You
> certainly don't get any security or authentication from it.
> 
> (ok, you get a tiny little bit, if you believe that *nobody* will
> *ever* be able to break into such an automatic signing machine you're
> talking about and steal the signing key from it.  I'd rather trust a
> secure key.)
> 
> > Do you mean that when package are "manually" signed they are carefully
> > checked ?
> 
> No, just that the passphrase is (or should be) entered only on a box
> that's physically secure and doesn't accept incoming connections,
> which significantly reduces the possibility that someone would be able
> to break into it and obtain access to the signing key.  And, even if
> they somehow do, there's a passphrase protecting it.
> 
> I'll give you that it would be possible to have such a box hold the
> passphrase in a signing agent, and have an automated process that
> monitors the build system and goes off signing packages as they make
> it through it (i.e., without incoming notifications), but this means
> that the passphrase would be exposed for far longer than needed to
> sign specific packages, making the signing key less secure.
> 
> Heck, even the signing key itself shouldn't be available except while
> signing packages.  It should ideally be in removable media, only
> connected to the signing machine while signing packages.
> 
> This all, of course, doesn't mean no attention has to be paid to the
> security of the box on which you sign packages.  It just means keeping
> it as secure as possible isn't enough to ensure the key is safe.
> 

But still *****___better____***** than nothing.

Is it a big deal to sign rpm even if the secret key (or build system) is
poorly protected ?

What append if the build server is cracked ?
Nothing. It's like having none signed rpm (like the current practise).
What append if the secret key is cracked/steal ?
Nothing. It's like having none signed rpm (like the current practise).
What damage this will cause the Red Hat business ?
Nothing. http://fedora.redhat.com/ :
        The Fedora Project is not a supported product of Red Hat, Inc.

If Fedora sign Rawhide packages (automated or not), the worse thing that
can append is to be back to the current situation. No more.

Why Red Hat are afraid about signing Rawhide packages ?
I don't understand Red Hat. The only reason is to push testers to RHEL
BETA. (ok, FUD, but I don't see other reasons).

As long as the secret key is ... secret, automated (or not) signed rpm
is better than nothing. And _never_ worse than nothing ! As long as the
secret key is keep secret, I can use confidently mirror (or at least
it's not worse than the current situation).

Signing is _always_ better than nothing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041026/d261a81e/attachment.bin

More information about the test mailing list