|
On 01/08/2013 10:55 AM, Peter Jones
wrote:
On Tue, Jan 08, 2013 at 03:52:02PM +0000, Petr Pisar wrote:On 2013-01-08, Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote:= Features/PackageSignatureCheckingDuringInstall = https://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringInstall * Detailed description: One long-standing problem in Fedora is that we don't check package signatures during installation. This has been a persistent issue since the very beginning of Fedora (and even in Red Hat Linux before it.) The reason for this has always been that there's no way to form any root of trust for the signatures in the repositories, and thus no reason they wouldn't have been modified along with whatever package would need to be re-signed after tampering.Reading till here makes me pondering how's possible rpm does not check package signature.Following the implementation of Features/SecureBoot, we can extend the Secure Boot keys as a root of trust provided by the hardware against which we can verify a signature on our key files, thus guaranteeing that they're from the same source as the boot media.Now it's clear it's about insttalling distribution. Not about installing a package with rpm in general. Could reponsible person change title and abstract to be clear it's about _distribution_ installation?Sure thing. It's now at https://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringOSInstall , and the title and description have been changed to match that. What about repins? I want to add my own custom package that is not signed and create a new CD with a custom ks.cfg. How would that work? Thanks, --
Stephen Clark NetWolves Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark@xxxxxxxxxxxxx http://www.netwolves.com |
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
