package signing

David Jaša djasa at redhat.com
Mon Jan 30 14:13:44 UTC 2012 

Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200: 
> On 26/01/12 18:20, David Jaša wrote:
> > Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500:
> >> +1 for the need.
> >> I think we should give md5 or similar hashes, 
> > 
> > There is already file with md5 hashes in the repo but it has no meaning
> > wrt attack prevention because it is not accessible via https, let alone
> > HTTP Strict Transport Security so it can be mangled by attacker together
> > with packages themselves.
> > 
> Setting up https access is probably the way to go.
> We can sign the hash file as well, but that's just for binaries.
> 
> >> and let distro's do the signing.
> >>
> > 
> > Distros take care of it during their package build process, no need to
> > worry about that. But if we offer packages on our site, they should be
> > also signed.
> > 
> Actually, I just got the diff between our views;
> Indeed when you distribute binaries, I agree you should sign it.
> The thing is, I do not think we should distribute binaries. Fedora
> should distribute ovirt RPM's, and other distro's should do the same
> using their own packaging mechanisms. For example, Gentoo will look
> for the sources tarball, and during the installation will d/l it,
> compile and deploy according to the relevant (signed) ebuild.
> 
> This is why fundamental projects will give you such links:
> http://www.x.org/releases/X11R7.6/src/
> http://www.kernel.org/pub/linux/kernel/v3.x/
> http://kde.mirrorcatalogs.com/stable/4.8.0/
> 
> You may also see rel-notes, change-log and doc's, but no binaries.
> 
> I'm aware of the fact many projects (postgres and others) provide
> binaries as well, but my view is that this is the distro's task
> to package & sign the binaries, and the project's task to provide
> a stable release tarball of sources.
> 

I think we agree more than it seems. IMO we should provide binaries of
just development versions of oVirt for widely-used stable distributions
which do not have better ways to create custom repos (like OpenSuse
Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a
good candidate, too.

David

> > David
> > 

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Board mailing list