Re: HEADS UP: Source File Verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 25, 2019 at 07:22:56PM +0200, Björn Persson wrote:
> Jason L Tibbitts III wrote:
> > >>>>> "JO" == Joe Orton <jorton@xxxxxxxxxx> writes:  
> > 
> > JO> In the historic CVS-based build system which predated what we now
> > JO> use, we could do GPG key verification at the time of downloading and
> > JO> importing a new tarball.  
> > 
> > You're right; tmz dug up a copy of the old Makefile.common file:
> > https://tmz.fedorapeople.org/tmp/Makefile.common
> 
> It looks like that searched for and verified signatures when the
> packager ran "make download". If they downloaded a new tarball with a
> browser, then it would not be verified automatically. The packager
> could then download the signature too and run "make download-checks"
> manually – if they happened to remember and care. Experience shows that
> most people don't care about security until it's too late, so the
> verification would often not happen. No one else could know whether the
> signature had been verified or not.
> 
> Having that functionality back could be a useful tool, but it would not
> replace verification during the build, which the packager can't just
> forget to do once they have added the one-liner to the spec file.

If you don't enforce GPG verification at or before "fedpkg upload" there 
is no assurance that what hits the lookaside cache is trusted, so I 
agree - doing this at build time is a good example of not caring about 
security until it's too late.

But I assume the FPC is off doing its own thing and will totally ignore 
community feedback as normal, so I'll feel free to carry on ignoring FPC 
output and this whole conversation is pointless.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux