[Rpm-metadata] creaping featurism

seth vidal skvidal at phy.duke.edu
Mon Nov 10 01:37:02 UTC 2003


> The signature is pretty worthless w/o the blob that is signed. Well, 
> there's signature metadata
> like fingerprint that might be extracted, but other tasks to verify that 
> the signature is intact
> should be performed before trusting the fingerprint.
> 
> >I know this is ludicrous at some level but I've been asked, by multiple
> >people to allow depresolution based on signature.
> >
> 
> Policies based on signature fingerprint need further thought. The 
> problem is at least as hard
> as having choices from multiple repositories, complicated by the 
> mechanics of OpenPGP
> packets.
> 
> >so if you have two packages that resolve a dependency for some package,
> >you should look at the gpg sigs to see who they are signed by and
> >install the one with a preferred signature.
> >
> 
> Features are easy to invent, trust is harder. Editing the xml metadata 
> to change fingerprint
> is a dirt simple attack for example.

All good reasons why it isn't worth it to include this.

Unless I hear other interesting reasons to keep it, I'll consider this
one shot down.

Thanks for the comments from everyone so far.

-sv





More information about the Rpm-metadata mailing list