On Fri, 2004-10-29 at 08:56 -0400, John Burton wrote:
Nils Philippsen wrote:
[...snip...]
I still don't see how signing a package makes it more trustworthy than signing the repo metadata. Signing a package gives me some amount of trust in its origin, not its quality or whatever.
Jumping into this discussion face first... As you said, signing a package gives you some amount of trust in its origin. The trust in its quality is derived from the reputation of the origin, i.e. I would "trust" the quality of a package signed by RedHat before I would "trust" the quality of a package signed by Joe Schmo from xyz. But that "trust" in the RedHat quality would probably be damaged if they were to "sign" pre-release (rawhide) packages. So, releases should be signed, tests should not.
And this assumption is wrong. A signature on a package is absolutely not correlated to the quality of it. To ease the burden on people's brains ;-) we have different keys for RHEL, Fedora, final, beta, Rawhide and whatnot. Therefore there is some kind of weak correlation between the key used to sign the package and the package's quality. People that import the Rawhide key should know that it might hose their systems, if they're not aware of that fact they'd better erase it from their systems (e.g. "rpm -e gpg-pubkey-e418e3aa-3f439953 gpg-pubkey-1cddbca9-3f9da14c" would erase the Rawhide keys from my system).
As far as signing packages vs. signing meta-data... Digital signatures are like real signatures, you want to make sure they are actually attached to what you are signing. If there is a chance that package that the signed meta-data represents can be changed without invalidating the signature, then you've lost the authentication power of the signature. In the non-digital world, you sign each page of a contract, not a seperate blank page attached to the contract. Signing a blank page is meaningless...
ACK.
Nils