On Thu, 10 Dec 2015 17:29:14 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > On Thu, Dec 10, 2015, at 04:58 PM, Kevin Fenzi wrote: > > > Also, repo signing doesn't really get us anything does it? > > I believe you have stated previously that because the metalink fetch > is protected by TLS which chains to sha256sums, and hence > GPG is not necessary, I would say it's not the same thing. Well, to be clear, I still think it's good to sign packages... > I think GPG signatures are stronger because they're effectively "key > pinned". > > Weaknesses in the CA ecosystem are well documented, e.g. > https://lwn.net/Articles/664385/ > And command line clients like yum/dnf/rpm-ostree/lorax etc. are > actually weaker than browsers in that there's no support for > the work that protects browsers like HPKP etc. Sure, but it's also a chicken and egg problem. If you start from just having windows or something you don't have our gpg keys either and have to either trust the https page to download them or some gpg keyserver. > GPG also works offline/statically. Yep. > But we could also set up key pinning for repo-md clients as well of > course. (And I would still like this for ostree clients for Atomic > Host as well) Yeah. I think there is an existing RFE for dnf for pinning, but I can't seem to find it. kevin
Attachment:
pgpqZbwIZwSf0.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
