On Thu, Dec 10, 2015, at 04:58 PM, Kevin Fenzi wrote: > Also, repo signing doesn't really get us anything does it? I believe you have stated previously that because the metalink fetch is protected by TLS which chains to sha256sums, and hence GPG is not necessary, I would say it's not the same thing. I think GPG signatures are stronger because they're effectively "key pinned". Weaknesses in the CA ecosystem are well documented, e.g. https://lwn.net/Articles/664385/ And command line clients like yum/dnf/rpm-ostree/lorax etc. are actually weaker than browsers in that there's no support for the work that protects browsers like HPKP etc. GPG also works offline/statically. But we could also set up key pinning for repo-md clients as well of course. (And I would still like this for ostree clients for Atomic Host as well) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
