On Mon, 1 Nov 2004 13:47:32 -0600 (CST), Satish Balay <balay@xxxxxxxxxxx> wrote: > But unless you are saing: somehow the current non-gpg-signed packages > are preventing such folks from doing the wrong things (listed above) - > and 'gpg-singing' encourages them to do them - your text adds no > substance to the discussion. Fine ill repeat myself...again. Yes... i firmly believe...that long term... as tools become more signature aware and tools become more demanding that signatures be present on consumable rpms, that signing throw away packages like rawhide packages encourages people to use those packages out of context, and encourages people to store individual rawhide packages for later use on other systems, instead of encouraging people to using a full rawhide collection. We can argue about the techical definition of what gpg-signing means...as originally conceived in the pgp/gpg methodogy, but is a pointless thing to discuss... in the context of rpm package signing. rpm package signing is NOT a full implementation of a gpg/pgp signing system. rpm's lack of understanding of what a signed key is, greatly impacts "trust" as a quantifiable concept..and automatically elevates all signd packages to the same "trust" status. Whereas mature general use gpg/pgp implementations know what a sign signature means, and how to calculate "trust" from signatures on keys. If you trust me, and i sign someone elses key, that key earns a measure of trust from my signature. gnupg understands this concept of the web of trust.. rpm does not...that is significant in the context of how rpm package sining has been used so far. Because there is a lack of trust metric in rpm's implementation, packaging signing..by vendors..has historically meant more than prescribed by a general gpg methodology definition of signing. This isn't a matter of one or two really really stupid users doing something really really stupid. This is a matter of common peception as to what signing a package means, and what vendors has historically wanted people to think signing a package means... in the context of rpm's implementation of signing and not in the context of gnupg's or pgp's general purpose implementation. And I argue that historically... rpm package signing has meant more than "built on this host" and that many vendors including Red Hat have meant it to mean more than "built on this host." And i will argue that until rpm get support for the trust metric concept using signed keys, signing rawhide packages encourages people to "trust" rawhide packages. Where "trust" is a quantifiable measurement based on key signatures. -jef