David Woodhouse wrote: > Our packaging guidelines really ought to mandate that *if* upstream > publishes GPG or PKCS#7/CMS signatures of source tarballs, then the > package *must* verify those signatures as part of %prep. I suppose the point of this would be that others can see that the verification has been done, right? Because technically, verifying a tarball that the packager uploaded, with a signature that the packager uploaded, against a key that the packager uploaded, that doesn't really add anything compared to the packager verifying the signature before they upload the tarball. The difference is that no one else can know whether the packager really did verify the signature, but encoding it in the spec shows publicly that the verification takes place. That's a step in the right direction, and I support the proposal, but let's not fool ourselves into believing that this would prove that the code is genuine. The build system has no way of verifying that the key in the source package really is the upstream developer's key, especially not when it has no Internet access. If an attacker would trick a packager into downloading a malicious tarball with a corresponding key and signature, then the verification in %prep wouldn't catch that. Björn Persson
Attachment:
pgprYSOXFdIUh.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
