On Oct 26, 2004, "nodata" <fedora@xxxxxxxxxxxx> wrote: > Aside from the verifications carried out by the human (I'm not sure what > these are), the signed package from Red Hat would have one important > advantage over an unsigned package from Red Hat - that it really did pass > through one of the Red Hat build servers. No. It would only prove that the package passed through a box that had the signing key. The more machines have access to such key, and the more entry points such machines have, the more likely it is that someone could abuse the keys to signing packages that didn't go through the build servers, and the more likely it becomes that the key leaks and starts being used for malicious purposes. Sure enough, in a perfect world, this shouldn't happen, but the world we live in is far from that, so it's only reasonable to take care to avoid leaks, and to avoid getting packages signed that didn't go through the build system. > I think the core issue here is that yum users tracking Rawhide should have > a way to verify that a package has come through Red Hat. Just don't let yum install packages that aren't signed. How about you start a rawhide mirror with the following properties: if a package is not signed, it won't be in your mirror; you'll keep the previous version of such package instead. An alternative is to script a yum wrapper that, when encountering an unsigned package, automatically excludes that and retries, until you get only signed packages installed. Heck, wouldn't it be way so cool if yum could do it all by itself? It's unlikely that signed packages will have dependencies on unsigned packages, because of the way signing is done, so odds are that, given daily rawhide pushes, you'd be able to move forward quite regularly. > If yum could provide a lesser degree of verification, by verifying > checksums instead of signatures, this wouldn't be a bad thing? Err... Doesn't it? up2date does, and so does rpm. >> To me, rawhide is only half a step away from CVS, should the CVS access >> (once made public) also have every thing GPG signed? > Perhaps :) monotone! -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}