On Thu, Dec 10, 2015, at 06:08 PM, Kevin Fenzi wrote: > Well, to be clear, I still think it's good to sign packages...
Yes, but just signing packages but allowing attacker-controlled metadata has various issues detailed in the papers linked from http://theupdateframework.com/ (Mostly forcing the client to install a signed but old/vulnerable package, particularly bad for network server packages) > Sure, but it's also a chicken and egg problem. > > If you start from just having windows or something you don't have our > gpg keys either and have to either trust the https page to download > them or some gpg keyserver. We were just talking about the rpm-md (yum) repos, right? I wouldn't really expect a Windows user to validate those, this is just something mostly where we set up our tools post-OS install to validate. So rpm-md repo signatures are desirable. (And same for the ostree repo side) -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
