On Oct 25, 2004, Ian Pilcher <i.pilcher@xxxxxxxxxxx> wrote: > I must admit that I don't understand why its even *possible* for an > unsigned package to make its way into any official up2date repository. rawhide isn't an up2date repository. It's just a dump of the latest builds of every package in the Red Hat build system, started by cron at a fixed time in very early morning when there's nobody around to sign packages that developers hacked on all night. Sure enough, one could add an automated signature to such packages, but this only means such a signature would be worth nothing, for being generated with a key not protected by a passphrase, stored on a box not exactly secure. E.g., if the automated rawhide build procedure could get into it to sign packages, without any password-protected authentication, what is this signature worth? > Common sense would seem to dictate the use of some type of simple script > to move packages from a "staging" directory into the repository; signing > the package should be part of this process, not something that Red Hat > developers have to do manually. 'fraid your common sense is not in line with common sense in terms of good security practices. Sure enough, the rawhide build could refrain from using unsigned packages, but the point of rawhide is to provide people with the latest packages for testing. The 24-hour turn-around time is sometimes too long already; adding the need for one of the few people who actually have access to the signing keys to be around to sign them would probably just increase the turn-around time. You just can't have it both ways. (ok, you could: there could be one repository with only signed packages, and one with the really latest stuff even if unsigned, but... 36GB/day is bad enough) -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}