On Thu, 2019-08-08 at 16:24 +0200, Björn Persson wrote: > Joe Orton wrote: > > If you don't enforce GPG verification at or before "fedpkg upload" there > > is no assurance that what hits the lookaside cache is trusted, so I > > agree - doing this at build time is a good example of not caring about > > security until it's too late. > > I hope most people reading this can see the flaws in that reasoning. > > > But I assume the FPC is off doing its own thing and will totally ignore > > community feedback as normal, > > It took a long time and some prodding, but the fact that the source > file verification policy was eventually accepted is proof that this > accusation is false. Hi Björn, I have not commented on this till now and both Joe's email is needlessly provocative as well as your dismissal is a bit content-less. The question is simply, how can you trust build time verification if you do not have INPUT time verification ? What prevents me from putting *into* Fedora a completely bogus source *AND* public key that always verifies correctly ? Simo. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
