Re: Fedora still doesn't sign its repo data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 19 Aug 2014 16:05:12 +0000
Joonas Lehtonen <joonas.lehtonen@xxxxxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> >>> It's logistically difficult to sign the repodata... but of 
> >>> course it could be done.
> 
> Has someone tried to get this done/accepted before?

Not sure what you mean fully by that, but it's been talked about
before. If you're really interested in it propose it to release
engineering and offer to work on needed code/etc. 

The big downside is that it means the updates compose would stop at the
very end and need to have the repodata signed before it could be pushed
out, so it means someone would have to not only sign packages before a
updates push, but come back many hours later and sign the repodata too. 
I'm sure it would need bodhi changes, possibly mash changes, possibly
changes to the signing tools. 

> >> Is there any kind of certificate pinning in place when verifying 
> >> the certificate of https://mirrors.fedoraproject.org or can the 
> >> certificate be from any trusted CA?
> > 
> > I'm not sure. Yum (and dnf) uses python-urlgrabber, which uses 
> > urlgrabber, which uses curl. So, it would depend on the default 
> > curl config.
> 
> So we could take advantage of the environment variable named
> 'CURL_CA_BUNDLE' to feed it with the issuing CA of
> https://mirrors.fedoraproject.org 's certificate.

I suppose, sure. Or it might be a slightly different env for
urlgrabber... not sure. 
 
> Has fedora a policy where it gets its certificates from?
> Is it always DigiCert?

No, it was another registrar until last year. It hasn't changed often
though. 
 
> Until curl gets DANE support we could use 'CURL_CA_BUNDLE' as a poor
> men's CA pinning?
> 
> http://curl.haxx.se/docs/todo.html#Support_DANE

Sure.

kevin

Attachment: signature.asc
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux