On 27.01.2014 20:28, Andrew Lutomirski wrote: > On Mon, Jan 27, 2014 at 10:59 AM, poma <pomidorabelisima@xxxxxxxxx> wrote: >> On 27.01.2014 19:52, Kevin Fenzi wrote: >> >>> copr has no provision currently to sign packages. >>> >>> I think it's on the todo list, but it will not be easy to implement in >>> a secure way. >> >> Ouch! >> > > I'm skeptical about the whole package-signing thing. Why don't we > sign repository metadata and have that metadata store hashes of the > appropriate packages? Then adding a key for a repository wouldn't > magically allow that key to sign packages claiming to come from a > different repository. It would also prevent various > replay-old-package attacks. > > Configuration could be simpler, too: > > [some-copr-repo] > name=Name > metalink=whatever > metalink_key=[private key, specified right here] > gpgcheck=0 > > I doubt that GPG's keyring concepts or web-of-trust stuff add any > security whatsoever to things like rpm and yum. They do, however, > make configuration unnecessarily arcane. We shouldn't change so easily tried and tested methods just because you "doubt". :) Ouch[2]! poma -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
