On Thu, 4 Nov 2004, Peter Jones wrote:
It's true to our tools, and I think it's true in the eyes of our users. I'm not the only one who's stated this impression, either. Jef put it pretty well the other day talking to Satish:
On Mon, 1 Nov 2004 12:58:22 -0600 (CST), Satish Balay balay@fastmail.fm wrote:
No confusion here either - as rawhide packages are never mistaken for erratum packages.
really? noone ever mistakes a package from rawhide as a consumable package? really? no one ever does a random search for a package from an online rpm warehouse and finds a package meant as a piece of rawhide and not as a consumable update? really? no one ever takes packages from the rawhide tree and mixes them with updates and creates a homebrew repository that other users will be using?
There is no part of which key was being used that carries any data about what the signature means, and this is a very significant problem. Why isn't this point clear?
I guess I have to answer this question aswell. The following is in context with signed/unsigned rawhide packages (not random things users can do)
******
Jeff (& I guess you) are assuming the following:
- user always does the following on an RHEL box:
rpm --import REDHAT-KEY rpm --import RAWHIDE-KEY And always uses 'yum' with gpgcheck'
Thus unsigned rawhide-packages saved the day.
But but they will NEVER do the following:
- remove the 'gpgcheck' flag in yum.conf - and install pacakges from rawhide on RHEL - wget 'randomly searched' rpm' and install it with 'rpm -ivh foobar.rpm' on an RHEL box.
*******
My contention is:
- The second part is not fixable - so that problem isn't being solved.
- if the user is dumb enough to do 'rpm -import RAWHIDE-KEY' on a RHEL box - you can still have EXACT same protection (as your unsigned-rawhide) - by coming up with a new key 'YOU-MUST-BE-CRAZY-TO-RPM-IMPORT-THIS-KEY.gpg' - and sign rawhide with it.
********
And I'm not disputing the fact that a better infrastructure is requred to distinguish keys automatically.
Satish