Nils Philippsen wrote:
[...snip...]
I still don't see how signing a package makes it more trustworthy than
signing the repo metadata. Signing a package gives me some amount of
trust in its origin, not its quality or whatever.
Jumping into this discussion face first...
As you said, signing a package gives you some amount of trust in its
origin. The trust in its quality is derived from the reputation of the
origin, i.e. I would "trust" the quality of a package signed by RedHat
before I would "trust" the quality of a package signed by Joe Schmo from
xyz. But that "trust" in the RedHat quality would probably be damaged if
they were to "sign" pre-release (rawhide) packages. So, releases should
be signed, tests should not.
As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually
attached to what you are signing. If there is a chance that package that
the signed meta-data represents can be changed without invalidating the
signature, then you've lost the authentication power of the signature.
In the non-digital world, you sign each page of a contract, not a
seperate blank page attached to the contract. Signing a blank page is
meaningless...
Okay, back to lurking in the dark shadows...
John
Nils
begin:vcard
fn:John Burton
n:Burton;John
org:G&A Technical Software, Inc.
adr;dom:Suite 101;;11864 Canon Blvd.;Newport News;VA;23606
email;internet:j.c.burton@xxxxxxxxxxxx
title:Principal Associate
tel;work:757-873-5920
tel;fax:757-873-5924
x-mozilla-html:TRUE
url:http://www.gats-inc.com
version:2.1
end:vcard