[Rpm-metadata] creaping featurism
seth vidal
skvidal at phy.duke.edu
Mon Nov 10 01:37:02 UTC 2003
> The signature is pretty worthless w/o the blob that is signed. Well,
> there's signature metadata
> like fingerprint that might be extracted, but other tasks to verify that
> the signature is intact
> should be performed before trusting the fingerprint.
>
> >I know this is ludicrous at some level but I've been asked, by multiple
> >people to allow depresolution based on signature.
> >
>
> Policies based on signature fingerprint need further thought. The
> problem is at least as hard
> as having choices from multiple repositories, complicated by the
> mechanics of OpenPGP
> packets.
>
> >so if you have two packages that resolve a dependency for some package,
> >you should look at the gpg sigs to see who they are signed by and
> >install the one with a preferred signature.
> >
>
> Features are easy to invent, trust is harder. Editing the xml metadata
> to change fingerprint
> is a dirt simple attack for example.
All good reasons why it isn't worth it to include this.
Unless I hear other interesting reasons to keep it, I'll consider this
one shot down.
Thanks for the comments from everyone so far.
-sv
More information about the Rpm-metadata
mailing list