[OpenAFS] OpenAFS RPMs and GPG signatures

Alexander Bostr÷m abo@kth.se
Thu, 12 Jun 2008 14:00:29 +0200


tor 2008-06-12 klockan 00:43 +0100 skrev Simon Wilkinson:

> And, ultimately, if the packages are getting signed without any form  
> of checks, do either of the latter two actually offer any more  
> security than the first?

Sure, there's the risk of someone gaining (or keeping) a copy of a
private key they shouldn't have access to (any more) or using a key in a
way they shouldn't. There's also the risk of someone placing a malicious
package in a yum repository I'm using (or spoofing the HTTP server).

´╗┐The RPM GPG signing system is far from perfect but as long as I insist
on always using it then at least someone with a malicious package would
have to the both of the above to get the package into my machine. That's
why I think I raise a bar a bit by refusing to add any repository with
gpgcheck=0.

This situation does make me wonder if perhaps it's time to start looking
at how to improve or replace the RPM security system but I still think
it's helpful in its current form.

One can always still choose to make a local mirror and resign the
packages with some other key or just continue with gpgcheck=0 even if
you start signing them with some more or less secure automatic system.
Still, I do understand the reasons why you might hesitate to publish a
public key this way.

/abo