On Thu, Nov 11, 2010 at 10:17:57AM -0500, Andre Robatino wrote: > I realize there's a lot of stuff sitting on top of RPM that depends on > how it works currently, but in terms of correctness, it still seems to > me to make more sense to sign the uncompressed data, since that's what > actually gets used, and it would avoid issues like > https://fedorahosted.org/rel-eng/ticket/4224 which will have to be dealt > with periodically as long as compression continues to improve. So let me > rephrase the question: in an alternate universe where RPM was originally > designed to sign the uncompressed data, and the higher-level tools were > subsequently designed to work with that, is there any fundamental reason > why things would be worse (or better) than they are now? Securitywise ist would be a bit worse, because the decompression libraries may contain exploitable bugs, so checking the signature of a rpm might be already a dangerous operation. (But most repositories nowadays already contain checksums over the complete rpm, and most people trust repositories, not individual rpms.) Cheers, Michael. -- Michael Schroeder mls@xxxxxxx SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
