-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El Mon, 5 Nov 2012 11:32:07 -0700 Kevin Fenzi <kevin@xxxxxxxxx> escribió: > On Mon, 5 Nov 2012 18:55:51 +0100 > Till Maas <opensource@xxxxxxxxx> wrote: > > > Rawhide is not intended to be used for anything important and with > > any security sensitive data because the used packages are not > > signed. Whenever I asked to get Rawhide packages signed I was also > > told that it is, because of Rawhide's use case. Everybody using > > Rawhide for example to maintainer Fedora packages is endangering > > the Fedora project. > > I am pretty sure there was a plan to make koji sign packages. I don't > know what the status of it is however. No one is working on it at all. Im actually kind of against the idea. as things currently stand we would instantly double the disk we need for /mnt/koji all the key would give us is a yes this build was done as a real build in koji. the security of the gpg key would be less since we need to have automated processes able to access the key. the value of the signed rpm is less. it also opens up another attack vector that "could" be exploited. we would need to sign the metadata or still resign all the rpms which each has associated costs. signing the metadata means someone will need to manually do it at the end of a package push process. in the case of branched or rawhide if we signed its metadata could be hours until someone wakes up to sign the metadata. or changing when the runs happen. so that it lands later. to me the big issue becomes we cant trust the key as much, since its either open or the password to unlock it is stored in plain text somewhere so that it can be unlocked or rpms automatically signed. the only way to really have it work right would reduce the security and trust in the key. all we would gain is a way to distinguish an offical build vs a scratch build in koji or a build someone did to mimic our environment. > I would personally love to see koji sign all official builds with a > "This was built in koji" key. > > > Nevertheless, I still believe it would be better if Fedora started > > to provide signed packages directly from Koji including Rawhide to > > end this problem. > > I agree. Any koji folks have any ideas on the status of this feature > request? > > Oh look: > https://fedorahosted.org/koji/ticket/203 > > Looks like there are patches there... anyone able to test or provide > more feedback to get it moving? AFAIK the patches are not at all tested, ive not looked to see if it would mean we end up using twice the disk we use today or not. it would also prevent the ability to reclaim disk by purging the signed copy of the rpm easily. since all rpms would be signed with the same key. we then would need to either not have our gpg keys expire or have processes to resign everything and switch over to new keys or some other transitiion method. > > But looking at the current fedup code it seems that > > Fedora is going to be the first distribution that abandons package > > security more and more instead of trying to improve it. As far as I > > know starting with preupgrade doing insecure updates were promoted > > and now they are going to be made mandatory (except for the > > unsupported yum update method). > > Please file bugs/patches? > > I'd like fedup to verify packages if it doesnt already. I'm sure > others would too. I would think that fedup should force the verification of packages. as long as its not rawhide they are all signed and can be verified. Dennis -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlCYl4EACgkQkSxm47BaWfeK4gCfTZFs9k1cJscCVJuaElPe5jFK 9oMAoK1xnwjEx9kQdQFt7XHKHcaNTd74 =52Ak -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
