On Thu, 10 Dec 2015 21:28:17 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > On Thu, Dec 10, 2015, at 06:08 PM, Kevin Fenzi wrote: > > > Well, to be clear, I still think it's good to sign packages... > > Yes, but just signing packages but allowing attacker-controlled > metadata has various issues detailed in the papers linked > from http://theupdateframework.com/ > (Mostly forcing the client to install a signed but old/vulnerable > package, particularly bad for network server packages) Sure, but we aren't allowing attacker-controlled metadata, it's still using a well known ssl cert, which... (see below) > > > Sure, but it's also a chicken and egg problem. > > > > If you start from just having windows or something you don't have > > our gpg keys either and have to either trust the https page to > > download them or some gpg keyserver. > > We were just talking about the rpm-md (yum) repos, right? > I wouldn't really expect a Windows user to validate those, > this is just something mostly where we set up our > tools post-OS install to validate. No, I meant someone who starts out installing our OS. How do they know the gpg key that they get is the real valid one? Right now, they use... a well known ssl cert to download the OS over https. Just like the metalinks that they would download later. > > So rpm-md repo signatures are desirable. (And same for > the ostree repo side) Well, it changes it from having to use a ssl cert once (to download the initial OS) to using it all the time (downloading metalinks/updates), which I suppose reduces the ssl cert issue, but does not get rid of it. kevin
Attachment:
pgp0dLiRWSLwR.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
