> On Fri, 29 Oct 2004 15:36:47 +0200, Nils Philippsen <nphilipp@xxxxxxxxxx> > wrote: >> This still forces me to use special tools like up2date and yum to access >> the packages if I want to verify their origins. > > actually...no. > > you can grab the signed metadata with the md5sums, check the sig on that. > and then do a md5sum check comparing the md5sum values in the metadata > and the package. You can do the md5sum check by hand. This isn't much > different than the situation with the isos. How do you verify you are > using the correct isos? you check the md5sums against an md5sum list. > How do you check the validity of the md5sum list? > You check the md5sum list signature. > > You might argue it would be a good idea if there was a signed flat > md5sum list for all packages as well as the xml metadata, so the > md5sum command could use it. And then I'll tell you, you need to > accept the inevitable future of xml for all possible human > communication adopted by unanimous United Nations resolution, and you > should fix md5sum to parse xml structure files for md5sum sigs :-> > > And I really really really don't want to encourage people to use > rawhide packages randomly from something like an online rpm warehouse. > I don't want misinformed people, being able to pick up an individual > rawhide package, see that its signed, and use the fact that there is a > verifable signature as an easy excuse to assume its totally okay to > install. This sort of crap happens a lot with unsigned rawhide, and I > don't want people who misunderstand what a signature really means to > feel more comfortable installing rawhide packages when they should not > be. There is a gap between, the technical definition of what signing > a package means, and common perception of what a signed package means. > My concerns is not for people like yourself, who understand that a > rawhide key doesnt mean anything beyond 'this package was built on the > automated rawhide build system." My concern is for the people, the > much larger group of people, who will misinterpret the level of trust > associated with ANY key and will be that much more inclined to install > a random rawhide package they happen to find outside of a rawhide > mirror, without thinking about it at all. It doesn't help that as of But "rpm" doesn't require a signature for an install. yum does. If an ill-informed users downloads and installs a rawhide package, they'd never find out whether it was signed or not. Only users tracking rawhide with yum will be told about this missing signature, and these aren't the ill-informed ones (in your example). > now rpm key importation can't handle signed keys, and thus > web-of-trust metrics can't be used natively to produce a metric of > trust of keys. How do you implement verification for those people who > understand what it means, without giving a false sense of security and > trust for those people who are misinformed about the process who end > up using the rawhide packages out of their original context? I say > you sign the metadata and have the informed people use the package > metadata for verification. > > Can rawhide packages be automatically signed... of course > Does autosigning help the intended, well informed, audience of the > rawhide packages... yes > Does autosigning hurt the unintended, un-informed or mis-informed > audience... i think it does. > > -jef > > -- > fedora-test-list mailing list > fedora-test-list@xxxxxxxxxx > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-test-list >