On Tue, 26 Oct 2004, Douglas Furlong wrote: > On Tue, 2004-10-26 at 15:13 +0200, nodata wrote: > > > > Then perhaps rawhide should be signed with a separate key that signs the > > packages without a live body. +1 > If this is done then it severely reduces the relevance of having them > signed in the first place. no it doesn't (see note below) > My understanding is that, when a package is "signed" by redhat, a human > steps up to the plate, does certain verifications, then puts in the pass > phrase, and hey presto you have a signed package. > > Your suggestion automates the whole process, and drastically reduces the > security model. It will be much better than the current model of no signatures. And 'rawhide-gpg-key' could mean 'rpm built on redhat-beehieve' - and nothing more. It shouldn't have to mean beehieve not hacked & 'rawhide-gpg-key' is not stolen. Also, I'm not sure how the human intervention guarantees that the key/passphrases arn't stolen. The only way I can think of is hardware-encryption (aka palladium?) where keys can never be copied/stolen (in which case passphrases are not necessary) And as a user - I should be able to query rpm db with: list all packages currently installed that are signed with the key 'rawhide-gpg-key' Satish