[OpenAFS] OpenAFS RPMs and GPG signatures

Alexander Bostr÷m abo@kth.se
Thu, 12 Jun 2008 14:00:29 +0200

tor 2008-06-12 klockan 00:43 +0100 skrev Simon Wilkinson:

> And, ultimately, if the packages are getting signed without any form  
> of checks, do either of the latter two actually offer any more  
> security than the first?

Sure, there's the risk of someone gaining (or keeping) a copy of a
private key they shouldn't have access to (any more) or using a key in a
way they shouldn't. There's also the risk of someone placing a malicious
package in a yum repository I'm using (or spoofing the HTTP server).

´╗┐The RPM GPG signing system is far from perfect but as long as I insist
on always using it then at least someone with a malicious package would
have to the both of the above to get the package into my machine. That's
why I think I raise a bar a bit by refusing to add any repository with

This situation does make me wonder if perhaps it's time to start looking
at how to improve or replace the RPM security system but I still think
it's helpful in its current form.

One can always still choose to make a local mirror and resign the
packages with some other key or just continue with gpgcheck=0 even if
you start signing them with some more or less secure automatic system.
Still, I do understand the reasons why you might hesitate to publish a
public key this way.