[Rpm-metadata] creaping featurism
Jeff Johnson
n3npq at nc.rr.com
Mon Nov 10 01:37:27 UTC 2003
seth vidal wrote:
>> Those metadata are useful, but not for the process of building a distributed
>>transaction solver. Why should we add them to the metadata description ?
>>IMHO extracting them is fine, but they are not needed for this purpose
>>so at best it should be optional.
>> Also note that the MD5 is confusing for users, they think it's the
>>package md5 while it means the payload MD5 in RPM at least,
>>
>>
>
><nod>
>To be terribly honest I was mostly thinking about the gpg/pgp signature
>as useful for dep resolving.
>
>
The signature is pretty worthless w/o the blob that is signed. Well,
there's signature metadata
like fingerprint that might be extracted, but other tasks to verify that
the signature is intact
should be performed before trusting the fingerprint.
>I know this is ludicrous at some level but I've been asked, by multiple
>people to allow depresolution based on signature.
>
Policies based on signature fingerprint need further thought. The
problem is at least as hard
as having choices from multiple repositories, complicated by the
mechanics of OpenPGP
packets.
>so if you have two packages that resolve a dependency for some package,
>you should look at the gpg sigs to see who they are signed by and
>install the one with a preferred signature.
>
Features are easy to invent, trust is harder. Editing the xml metadata
to change fingerprint
is a dirt simple attack for example.
73 de Jeff
More information about the Rpm-metadata
mailing list