> On Wed, Mar 30, 2016 at 02:26:59PM -0000, Ralf Senderek wrote:
> [snip the part I complete agree with]
...
> In fact signatures and license files are quite similar:
> our guidelines say that the license file MUST be installed if provided
> by upstream, and packagers SHOULD ask upstream to provide it if it is
> missing [1]. I think we should follow this pattern for signatures.
I think MUST or SHOULD should be decided in light of the threat model.
If upstream signs the source code, what are they trying to prevent?
Most likely they don't want anyone else to be able to produce updated
source code that looks legitimate.
Now, what if there is a new updated source code without a matching signature
on the upstream website? Upstream clearly does not want this code to go into Fedora.
What, if there is a new updated source code with a matching signature and a
new key?
At that point the packager has got some work to do, because it's not clear what
that means.
a) if the new key is signed by the old code signing key, prepare a new keyring
and go ahead.
b) if the new key is self-signed because upstream has had an incident in which
the sole control over the old key's private key may have been lost, then an
attacker could create a new key that looks legitimate to the packager like a).
A packager cannot tell a) from b) if he does not make close contact to upstream
about the new key. No automation is possible here.
In case of an incident where the private key may be compromized, upstream
is required to build the trust into the new key from the ground up.
As these cases can be quite complicated and would need some serious actions
on behalf of the packager I think at the moment everything speaks in favour or
SHOULD, because we don't have a bullet-proof procedure everyone can follow.
But that's only my 2c.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
