On Tue, Nov 25, 2003 at 03:09:51PM +0800, Chris Kloiber wrote: > On Tue, 2003-11-25 at 15:04, Axel Thimm wrote: > > On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote: > > > On Tue, 2003-11-25 at 05:12, Timothy Ha wrote: > > > > Thank you! > > > > > > > > I still have some questions (not doubts): With thrilling stories like > > > > someone break into Linux kernel source, how do you guarant the quality > > > > of the repositories? Security updates, system tools and so on are there. > > > > > > > > Will Redhat be some guarantee to all these things? > > > > > > Not necessarily, but... > > > > > > The packages are all signed with GPG if they are officially part of the > > > Fedora project. Your up2date/apt/yum should be configured to check these > > > signatures before installing anything, and to scream "bloody-blue > > > murder" if they are not correctly signed. > > > > Well, almost all non-redhat.com repos are GPG signing as well. GPG > > signed packages with keys from the same originating site only ensures > > that you get what the packager produced. The difference being that I > > would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;) > > > > > You should be able to find the official keys and and explanation of > > > their uses here: > > > > > > http://fedora.redhat.com/about/security/ > > > > Maybe RH could consider verifying some IDs of packagers/repos and sign > > their keys (and vice versa, RH's key is not signed by any other key)? > > That would be a good establishment to create a true web of trust. > > Oh, part of that is here: > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x54A2ACF1 This is a signed key of the fedora.us release manager that rejects cooperation with other repos, not quite the right context for trusting 3rd party repos. It also only transfers trust to s single instance, a web of trust creates more than a single trusted instance. The Debian keyring is a better example of creating webs of trust. I was referring to RH's own fedora key, which is not signed: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x4F2A6FD2&op=index and it shouldn't be used for being signed only, but for signing trusted parties, because that's what is in lack of trust (well, at least in theory). The RH key should be used for creating a web of trust by signing and being signed by trusted packagers whose identification has been verified (because that is what signing really means). At least some Red Hat people could start signing their own key. :) -- Axel.Thimm@xxxxxxxxxxxxxxxxxxx
Attachment:
pgpM1uilgQK3t.pgp
Description: PGP signature
