Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Mon, 1 Nov 2004, Peter Jones wrote:

> On Fri, 2004-10-29 at 09:44 -0500, Ian Pilcher wrote:
> > Jeff Spaleta wrote:
> > > 
> > > Can rawhide packages be automatically signed... of course
> > > Does autosigning help the intended, well informed, audience of the
> > > rawhide packages... yes
> > > Does autosigning hurt the unintended, un-informed or mis-informed
> > > audience... i think it does.
> > > 
> > 
> > So you're suggesting that the use of signed packages should be limited
> > by some "least common denominator" of ignorant users?  I suspect that
> > if you broadly adopt that principle, you won't be real happy with the
> > results.
> 
> No, this is the wrong problem to discuss.  The problem isn't that the
> users are ignorant.  The problem is that we've systematically taught
> them what to expect a signature means, and we're going back and saying
> that sometimes -- only sometimes -- it only means part of that.
> 
> That's a serious flaw, and it's one we must address before we consider
> implementing any sort of automatic signatures.  The way to do so is to
> separate the task of verifying the source (or even the chain of sources,
> if there are mirrors of mirrors) from that of verifying trust of the
> contents.

Are you saying - currently when a package is gpg-signed by a person -
he/she actually goes through a manual process of verifying the
following?

- source is not tampered (including the intial .tar.gz, patches, .spec files)
- binary is not tampered
- source -> binary process didn't introduce 'ANY' tampering?

If not - I don't see any big change - as far as user perception goes
on gpg-sigining on build system.

For us users there is no confusion:
- 'rawhide-key' is different from 'redhat-key' - so there is no confusion here.
- 'gpg' singed packages doesn't => stability (aka rawhide can always
  eat data) - so no confusion here..

Satish


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]