Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Anders Karlsson wrote:
* jdow <jdow@xxxxxxxxxxxxx> [20080905 08:56]:
Suppose I have NO RedHat installed. I have no working computer near
me. I want to install Fedora 9. How do I establish the ability to
subject the packages to tests for being properly signed, that the
key used in the test is correct, and that I am reading and updating
from a legitimate mirror?

In this event you are likely installing from physical media, which
will have the public key on it already. If you do not trust that media
- why are you installing from it?

And here you bring out a good point, most users probably download an image and create the media themselves. Assuming that you get the sha1sum from a trusted source *and use it*, you are probably as safe doing that as buying from a DVD house and using that, or going to an install-a-thon and having a perfect stranger install software on your system. Having been the installer a few times, perhaps people could question me, although no one has.

Once you have installed the system - the updates you are pulling down
will be verified with the key that was on the media - unless you
actively go and switch off the gpg checking.

The part about how to distribute the new public key - that is the
thing that the infrastructure team is debating how to best do now.

Nitpicking - it is spelled "Red Hat".

If this can be done once in an initial install situation it can be done
again in an update situation using the same mechanism.

{^_^}

As others have already pointed out - it's a question of trust. At some
point or other - you have to decide what you trust. If you do not
trust something, do not use it (and then live with the consequences of
that choice).

If you decide not to trust passports, you will simply find it a bit
hard to travel from country to country. If you don't trust the Fedora
key, you'll find it a bit hard to use Fedora.

My view of the Fedora public key is that it is a means to verify the
integrity of the packages coming from the Fedora repo's. That the
package is originating from Fedora, and not from untrusted 3rd
party and that the packages have not been tampered with in
mid-flight. If you don't trust the method by which packages are
downloaded, verified and installed by yum - maybe you'd trust going to
the Fedora download site and grabbing the packages, one by one, and
installing them by hand?

This is a potential solution actually. If you don't trust https:// to
the download section of Fedora - you don't trust Fedora full stop. So
providing a page with the new key, and instruction for what to change
and how, on your system to point at the new repo's should satisfy even
the most paranoid people on this list. As the packages are signed with
the new key, and if you remove the old key - you should be OK. Right?

Actually, I would think that just distributing a single RPM package that way, containing the new key, would be preferable to getting it through the yum distribution channel, at least from my point of view. Then the yum channel would become trusted again.

Yes - it requires manual interaction, it'll be a PITA etc etc ad
nauseum. You have a better, more trustworthy idea? Let's hear it.

Actually I assumed that distribution directly from the Fedora servers had been impractical or even insecure for some reason, which is why I have proposed alternative ideas. It crossed my mind that the SSL certs might have been compromised as well.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux