7:48 p.m.
yum update fedora-release-notes
produce
Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
this is true for about 16 pakages on my Rahwid system today
/Yonas
9:51 p.m.
On Thu, 2007-10-25 at 20:48 -0400, yonas Abraham wrote:
yum update fedora-release-notes
produce
Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages
aren't signed. This is intentional. Until we hit the final release,
either:
1) disable 'fedora' and 'updates' repositories, and re-enable
'development'
- this is best if you're planning to follow rawhide in the future
or:
2) disable 'gpgcheck' for 'fedora'
- you need to remember to re-enable it when Fedora 8 is released!
Hope that helps,
-w
11:02 p.m.
On 10/25/07, Will Woods <wwoods(a)redhat.com> wrote:
On Thu, 2007-10-25 at 20:48 -0400, yonas Abraham wrote:
> yum update fedora-release-notes
>
> produce
>
> Package fedora-release-notes-8.0.0-2.noarch.rpm is not signed
>
>
> this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages
aren't signed. This is intentional. Until we hit the final release,
either:
1) disable 'fedora' and 'updates' repositories, and re-enable
'development'
- this is best if you're planning to follow rawhide in the future
or:
2) disable 'gpgcheck' for 'fedora'
- you need to remember to re-enable it when Fedora 8 is released!
Hope that helps,
-w
Thanks, I was not aware that my machine switched to "Fedora release 8
(Werewolf)". I am back to rawhide now and every thing is good now.
/Yonas
10:57 a.m.
On Thu, Oct 25, 2007 at 10:51:24PM -0400, Will Woods wrote:
> this is true for about 16 pakages on my Rahwid system today
This has been discussed a bunch of times already. Rawhide packages
aren't signed. This is intentional. Until we hit the final release,
Although, for the past six months or so, new packages hitting rawhide have
in fact happened to have been signed.
--
Matthew Miller mattdm(a)mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
10:57 a.m.
On Fri, 26 Oct 2007 11:57:19 -0400
Matthew Miller <mattdm(a)mattdm.org> wrote:
Although, for the past six months or so, new packages hitting
rawhide
have in fact happened to have been signed.
Not all of them. Only packages that were in say a test release, or
inherited from a previous release. There is no autosigning happening.
--
Jesse Keating
Fedora -- All my bits are free, are yours?
11:04 a.m.
On Fri, Oct 26, 2007 at 11:57:19AM -0400, Matthew Miller wrote:
Although, for the past six months or so, new packages hitting rawhide
have
in fact happened to have been signed.
No, wait, never mind me. I am speaking crazy-talk.
--
Matthew Miller mattdm(a)mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
12:22 p.m.
Am Donnerstag, den 25.10.2007, 22:51 -0400 schrieb Will Woods:
This has been discussed a bunch of times already. Rawhide packages
aren't signed. This is intentional.
That's nice. So I'll stop testing rawhide now because I don't know where
the packages are from. Conveniently jumping off and on the security
bandwagon at different stages in the release is a bit churlish.
It only takes one malicious unsigned package to be installed for the box
to be compromised, and nothing will protect against that.
Come on though, we have auto-signing now, what was the killer reason for
unsigned rpms?
1:58 p.m.
On 10/28/07, Toshio Kuratomi <a.badger(a)gmail.com> wrote:
We don't have auto-sign yet. Which is the main reason we
don't have
signed rawhide packages.
I think if we are serious about making rawhide day-to-day friendly to
encourage 'normal' people (aka Norms) to become part of the rawhide
testing process we'll need to autosign..something. Is there a feature
page for roadmapping rawhide non-toxic?
I think greg's right that bootable usbsticks are a pretty interesting
target as a testing platform for pre-release testing.
We just need to work out a reasonable transition from the usb stick to
gold release upgrade of the main system and we can add some assurance
that the pre-release bits are not being tampered with.
-jef"I want a 4 gig usb stick shaped like the fedora logo that I can
dedicate to rawhide testing"spaleta
2:07 p.m.
On Tue, 30 Oct 2007 10:58:26 -0800
"Jeff Spaleta" <jspaleta(a)gmail.com> wrote:
I think if we are serious about making rawhide day-to-day friendly
to
encourage 'normal' people (aka Norms) to become part of the rawhide
testing process we'll need to autosign..something. Is there a feature
page for roadmapping rawhide non-toxic?
Not written down, but in my head.
1) write a signing server (work progressing)
2) deploy a signing server human driven
3) wire up a method to let koji request packages be signed for it as
part of the build process.
4) profit.
--
Jesse Keating
Fedora -- All my bits are free, are yours?
2:15 p.m.
On 10/30/07, Jesse Keating <jkeating(a)redhat.com> wrote:
1) write a signing server (work progressing)
2) deploy a signing server human driven
3) wire up a method to let koji request packages be signed for it as
part of the build process.
Does this parse as koji requests auto-signing? Or is that a request to
put packages in a que for the human driver to deal with?
4) profit.
I'd settle for break-even.
-jef
2:21 p.m.
On Tue, 30 Oct 2007 11:15:34 -0800
"Jeff Spaleta" <jspaleta(a)gmail.com> wrote:
Does this parse as koji requests auto-signing? Or is that a request
to
put packages in a que for the human driver to deal with?
As to not delay rawhide composes, the correct thing is to sign a
package as soon as it's tagged for something that is going to rawhide.
So either koji needs to do it itself, or we need to have some daemon
that listens for tag successes and kicks off a signing request (or a
scheduled "sign all in dist-rawhide" run which can be... slow").
But since that's step 3, I'm not committing to any design until steps
one and two are complete.
--
Jesse Keating
Fedora -- All my bits are free, are yours?
3:40 p.m.
nodata wrote:
Am Donnerstag, den 25.10.2007, 22:51 -0400 schrieb Will Woods:
> This has been discussed a bunch of times already. Rawhide packages
> aren't signed. This is intentional.
That's nice. So I'll stop testing rawhide now because I don't know where
the packages are from. Conveniently jumping off and on the security
bandwagon at different stages in the release is a bit churlish.
It only takes one malicious unsigned package to be installed for the box
to be compromised, and nothing will protect against that.
Come on though, we have auto-signing now, what was the killer reason for
unsigned rpms?
A malicious package that gets placed into the system by a maintainer would come
flying down into your system 'signed' by an autosign process too... and you'd
happily not notice. That maintainer would pretty soon get reprimanded and the
packages cleaned up, but really nothing is in place to prevent that either (in
rawhide). Testing rawhide isn't for boxes with corporate sensitive data...
If you keep an eye on where your packages are coming from, even for rawhide,
then you can be sure that only authorized maintainers have put them into the
system (control which mirrors you're pulling them from). Actually signing the
package from the build system would change very little other than insure that
the mirror you're downloading from did not bring in a new package that doesn't
belong.
So as it stands, you have to extend trust to the maintainers, and the mirror.
You can pick which mirror you trust.
3:49 p.m.
Hi.
On Sun, 28 Oct 2007 13:40:25 -0700, Andrew Farris wrote
A malicious package that gets placed into the system by a maintainer
would come flying down into your system 'signed' by an autosign
process too... and you'd happily not notice.
Yes. That waoy I'd have to trust the maintainer and our build system.
As it stands now, I have to trust the maintainer, the build system and
the rest of the internet.
Which is rather a lot of trust.
2:27 a.m.
On So Oktober 28 2007, Andrew Farris wrote:
prevent that either (in rawhide). Testing rawhide isn't for
boxes with
corporate sensitive data...
This seems not to be common knowledge, because afaik even Fedora Maintainers
use Rawhide on a system, where they create new packages.
Actually signing the package from the build system would change very
little
other than insure that the mirror you're downloading from did not bring in
a new package that doesn't belong.
Imho it is a big benefit, because it is very easy for a mirror maintainer to
change a package. Also someone who breaks into a mirror can easily cause
heavy damage. And last but not least, the manipulation of the package can
also happen on the connection to the mirror, e.g. on conferences with
free/open wifi/internet access.
Regards,
Till
1:25 p.m.
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
If you keep an eye on where your packages are coming from, even for
rawhide,
then you can be sure that only authorized maintainers have put them into the
system (control which mirrors you're pulling them from). Actually signing the
package from the build system would change very little other than insure that
the mirror you're downloading from did not bring in a new package that doesn't
belong.
It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.
So as it stands, you have to extend trust to the maintainers, and the mirror.
You can pick which mirror you trust.
1:30 p.m.
Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata:
Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> If you keep an eye on where your packages are coming from, even for rawhide,
> then you can be sure that only authorized maintainers have put them into the
> system (control which mirrors you're pulling them from). Actually signing the
> package from the build system would change very little other than insure that
> the mirror you're downloading from did not bring in a new package that
doesn't
> belong.
It worries me massively, from a security perspective, that someone from
inside Red Hat would say something as wrong as this.
Oh, you don't work for Red Hat. Sorry. But your statement is still
completely off the field.
>
> So as it stands, you have to extend trust to the maintainers, and the mirror.
> You can pick which mirror you trust.
>
6:21 a.m.
tis 2007-10-30 klockan 19:25 +0100 skrev nodata:
It worries me massively, from a security perspective, that someone
from
inside Red Hat would say something as wrong as this.
Trusting the network is sadly quite common. That sort of thinking is
something we in the Unix and free software world need to get rid of
right now if we want to keep telling people we have the most secure
systems.
I'd much rather trust "packages signed with the rawhide auto-sign key"
than "packages which the internet sends you when you ask for rawhide
bits".
/abo
6010
days inactive
6020
days old
18 comments
11 participants
participants (11)
-
Alexander Boström -
Andrew Farris -
Jef Spaleta -
Jesse Keating -
Matthew Miller -
nodata -
Ralf Ertzinger -
Till Maas -
Toshio Kuratomi -
Will Woods -
Yonas Abraham