Should Fedora rpms be signed?

[Nils Philippsen]

On Fri, 2004-10-29 at 10:08 -0400, Jeff Spaleta wrote:
> On Fri, 29 Oct 2004 15:36:47 +0200, Nils Philippsen <nphilipp at redhat.com> wrote:
> > This still forces me to use special tools like up2date and yum to access
> > the packages if I want to verify their origins.
> 
> actually...no.
> 
> you can grab the signed metadata with the md5sums, check the sig on that.
> and then do a md5sum check comparing the md5sum values in the metadata
> and the package. You can do the md5sum check by hand. This isn't much
> different than the situation with the isos.  How do you verify you are
> using the correct isos? you check the md5sums against an md5sum list.
> How do you check the validity of the md5sum list?
> You check the md5sum list signature. 

OK, not "forces" but "compels" because I don't want to go through this
hassle ;-). I can always introduce yet another level of indirection,
just to make people use the tools I think they should be using, but is
it wise to do so? NB: I am not against signing repo metadata, but I am
absolutely in favour of signing every package that "leaves the house"
for reasons I stated elsewhere (it is no more burden for the pushing
tool to have all packages as well as the metadata signed).

> You might argue it would be a good idea if there was a signed flat
> md5sum list for all packages as well as the xml metadata, so the
> md5sum command could use it. And then I'll tell you, you need to
> accept the inevitable future of xml for all possible human
> communication adopted by unanimous United Nations resolution, and you
> should fix md5sum to parse xml structure files for md5sum sigs :->

No, we don't want to start another discussion about XML and its benefits
and drawbacks. Not even because it's Friday ;-).

> And I really really really don't want to encourage people to use
> rawhide packages randomly from something like an online rpm warehouse.
> I don't want misinformed people, being able to pick up an individual 
> rawhide package, see that its signed, and use the fact that there is a
> verifable signature as an easy excuse to assume its totally okay to
> install. This sort of crap happens a lot with unsigned rawhide, and I
> don't want people who misunderstand what a signature really means to
> feel more comfortable installing rawhide packages when they should not
> be.  There is a gap between, the technical definition of what signing
> a package means, and common perception of what a signed package means.
>  My concerns is not for people like yourself, who understand that a
> rawhide key doesnt mean anything beyond 'this package was built on the
> automated rawhide build system."  My concern is for the people, the
> much larger group of people, who will misinterpret the level of trust
> associated with ANY key and will be that much more inclined to install
> a random rawhide package they happen to find outside of a rawhide
> mirror, without thinking about it at all.  It doesn't help that as of
> now rpm key importation can't handle signed keys, and thus
> web-of-trust metrics can't be used natively to produce a metric of
> trust of keys.  How do you implement verification for those people who
> understand what it means, without giving a false sense of security and
> trust for those people who are misinformed about the process who end
> up using the rawhide packages out of their original context?  I say
> you sign the metadata and have the informed people use the package
> metadata for verification.
> 
> Can rawhide packages be automatically signed... of course
> Does autosigning help the intended, well informed, audience of the
> rawhide packages... yes
> Does autosigning hurt the unintended, un-informed or mis-informed
> audience... i think it does.

I never denied that there are people who can have a false notion on what
a signature on a Rawhide package means. But I absolutely refuse that _I_
should have to jump through hoops due to that, even more so given that
the majority of them won't install with RPM but with up2date or yum.
>From there it's a short step from "Huh why doesn't this install?" over
asking on some mailing lists or on IRC where someone answers "use
gpgcheck=0 or --nosig", i.e. the not-so-well-informed will install
Rawhide anyway if you don't expressly forbid it. I'd say that the set of
people who insist on signed packages but are clueless about what this
means or doesn't mean regarding the quality is rather small ;-).

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011