ESR: Goodbye Fedora
Sam Varshavchik
mrsam at courier-mta.com
Thu Feb 22 01:27:18 UTC 2007
Les Mikesell writes:
> Sam Varshavchik wrote:
>>
>> There's no technical reason why an rpm file cannot include the URL of
>> any repositories that provide packages any needed dependencies, together
>> with the repositories' keys.
>
> That sort of defeats the purpose of having keys unless you are prepared
> to trust anyone potentially downstream in such a cascading arrangement.
>
> It would also add many more points that can change and make updates even
> less repeatable than they are now.
If you trust a repo's maintainer, and you've imported repo's keys, and the
maintainer builds a package with dependency on another third party repo, the
maintainer puts the third party repo's URL and keys into the package, and
signs the package with his key. You already trust the key, because you're
pulling packages from the repo already. So, you're going to have to make a
call. Either reject the third party repo's, but then the update will be
rejected since the dependency won't be satisfied, or accept the third party
repo's keys, and pull in the rest of the dependency.
Fundamentally, this is no different than the stock PGP web of trust
mechanism. You are already trusting one third party repo that you're
updating your packages from. A part of that trust, which you must
understand, involves trusting whatever other third party repo the first repo
itself is trusting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070221/d82698f6/attachment-0002.bin
More information about the users
mailing list