On Thu, Mar 31, 2016 at 01:39:17PM -0000, Ralf Senderek wrote: > But the MUST has some implications: > > 1) The packager's trust-building activities into the public key are by no > means optional. Yes, the whole exercise would be pointless otherwise. > 2) Patches, that are applied to the signed (and checked) source must also be > signed by the packager and checked in %prep. No, that would be just a waste of time. We trust dist-git contents. The patches are stored in dist-git, so they are already trusted (in the sense that we know that the patch is what the maintainer committed), so signing them brings has no benefit. (The maintainer should check the patch before committing it, of course). > From an ordinary Fedora user's point of view modifications of the trusted > source code should also be properly attributed to the one who modified. > If upstream signs its code it is for the purpose to better distinguish > original and patched code. So in order to add accountability, patches must be > signed as well. I don't buy that reasoning. You sign stuff to prevent silent modification (because of malice or corruption), and not to track changes, we have better mechanisms for that. If you want to see who changed what, look at the spec file. In particular, note that "sed in %prep" is just as effective in changing stuff as a patch, so it makes no sense to just sign the patches in dist-git, you'd have to sign the whole dist-git contents. > 3) While the new tarball can be a URL, the public key ring cannot be allowed > to be downloaded, it must be produced by the packager and added as a file > to the SOURCE directory. Yes. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
