Re: ESR: Goodbye Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Les Mikesell writes:

Sam Varshavchik wrote:

There's no technical reason why an rpm file cannot include the URL of any repositories that provide packages any needed dependencies, together with the repositories' keys.

That sort of defeats the purpose of having keys unless you are prepared to trust anyone potentially downstream in such a cascading arrangement.

It would also add many more points that can change and make updates even less repeatable than they are now.

If you trust a repo's maintainer, and you've imported repo's keys, and the maintainer builds a package with dependency on another third party repo, the maintainer puts the third party repo's URL and keys into the package, and signs the package with his key. You already trust the key, because you're pulling packages from the repo already. So, you're going to have to make a call. Either reject the third party repo's, but then the update will be rejected since the dependency won't be satisfied, or accept the third party repo's keys, and pull in the rest of the dependency.

Fundamentally, this is no different than the stock PGP web of trust mechanism. You are already trusting one third party repo that you're updating your packages from. A part of that trust, which you must understand, involves trusting whatever other third party repo the first repo itself is trusting.

Attachment: pgpoWd1E4J843.pgp
Description: PGP signature

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux