Re: package signing

On 26/01/12 18:20, David Jaša wrote: > Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500: >> +1 for the need. >> I think we should give md5 or similar hashes, > > There is already file with md5 hashes in the repo but it has no meaning > wrt attack prevention because it is not accessible via https, let alone > HTTP Strict Transport Security so it can be mangled by attacker together > with packages themselves. > Setting up https access is probably the way to go. We can sign the hash file as well, but that's just for binaries. >> and let distro's do the signing. >> > > Distros take care of it during their package build process, no need to > worry about that. But if we offer packages on our site, they should be > also signed. > Actually, I just got the diff between our views; Indeed when you distribute binaries, I agree you should sign it. The thing is, I do not think we should distribute binaries. Fedora should distribute ovirt RPM's, and other distro's should do the same using their own packaging mechanisms. For example, Gentoo will look for the sources tarball, and during the installation will d/l it, compile and deploy according to the relevant (signed) ebuild. This is why fundamental projects will give you such links: http://www.x.org/releases/X11R7.6/src/ http://www.kernel.org/pub/linux/kernel/v3.x/ http://kde.mirrorcatalogs.com/stable/4.8.0/ You may also see rel-notes, change-log and doc's, but no binaries. I'm aware of the fact many projects (postgres and others) provide binaries as well, but my view is that this is the distro's task to package & sign the binaries, and the project's task to provide a stable release tarball of sources.

> David >