In the light of recent RPM signing intrusions, maybe we should resurrect the RPM feature where multiple signatures are allowed (i.e. --addsign is different to --resign)? With this we could then require N good signatures (and no bad ones) on each package before yum would trust the content. What I'm getting at with this is distributed package signing, which would make the job of breaking the trust much harder for attackers, as they would have to crack private keys of many people around the world in order to subvert Fedora packages. For instance, an attacker being in the position of injecting a bad package and signing it with Fedora key would still get nowhere, as he'd need to convince other signatories to sign those packages before them being any threat to Fedora users. Before signing, signatories could require that original contributor that built the package for a particular tag sends a signed e-mail (containing that tag and package checksums - valid only once) to the signatories, therefore requiring yet another compromised private key in order to perform an attack. Signatories could also use alternative build systems with no public access (e.g. their own, Matt's at Dell etc.) to verify package checksums before signing, in order to avoid trusting a compromised Fedora build system. This would require more distributed resources and would slow the update process down somewhat, but may avoid single point of intrusion as being sufficient to break the distro. Comments? -- Bojan -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
