On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima@xxxxxxxxx> wrote: > On 27.01.2014 19:52, Kevin Fenzi wrote: > >> copr has no provision currently to sign packages. >> >> I think it's on the todo list, but it will not be easy to implement in >> a secure way. > > Ouch! > I'm skeptical about the whole package-signing thing. Why don't we sign repository metadata and have that metadata store hashes of the appropriate packages? Then adding a key for a repository wouldn't magically allow that key to sign packages claiming to come from a different repository. It would also prevent various replay-old-package attacks. Configuration could be simpler, too: [some-copr-repo] name=Name metalink=whatever metalink_key=[private key, specified right here] gpgcheck=0 I doubt that GPG's keyring concepts or web-of-trust stuff add any security whatsoever to things like rpm and yum. They do, however, make configuration unnecessarily arcane. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
