Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-12 Thread Kevin Fenzi
On Thu, 10 Dec 2015 21:28:17 -0500 Colin Walters wrote: > On Thu, Dec 10, 2015, at 06:08 PM, Kevin Fenzi wrote: > > > Well, to be clear, I still think it's good to sign packages... > > Yes, but just signing packages but allowing attacker-controlled > metadata has various issues detailed in t

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-10 Thread Colin Walters
On Thu, Dec 10, 2015, at 06:08 PM, Kevin Fenzi wrote: > Well, to be clear, I still think it's good to sign packages... Yes, but just signing packages but allowing attacker-controlled metadata has various issues detailed in the papers linked from http://theupdateframework.com/ (Mostly forcing the

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-10 Thread Kevin Fenzi
On Thu, 10 Dec 2015 17:29:14 -0500 Colin Walters wrote: > On Thu, Dec 10, 2015, at 04:58 PM, Kevin Fenzi wrote: > > > Also, repo signing doesn't really get us anything does it? > > I believe you have stated previously that because the metalink fetch > is protected by TLS which chains to sha2

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-10 Thread Colin Walters
On Thu, Dec 10, 2015, at 04:58 PM, Kevin Fenzi wrote: > Also, repo signing doesn't really get us anything does it? I believe you have stated previously that because the metalink fetch is protected by TLS which chains to sha256sums, and hence GPG is not necessary, I would say it's not the same th

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-10 Thread Kevin Fenzi
On Fri, 4 Dec 2015 13:34:00 -0500 Mike McLean wrote: > That is out of scope as koji will not be actually performing signing > as part of this feature, just utilizing rpm signatures that have > already been imported. Neat idea, but bigger problem and not really > related to this Also, repo signi

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-04 Thread Mike McLean
That is out of scope as koji will not be actually performing signing as part of this feature, just utilizing rpm signatures that have already been imported. Neat idea, but bigger problem and not really related to this On Dec 1, 2015 7:37 AM, "Petr Spacek" wrote: > On 1.12.2015 13:15, Jan Kurik wr

Re: F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-01 Thread Petr Spacek
On 1.12.2015 13:15, Jan Kurik wrote: > = Proposed Self Contained Change: Koji Generates Repositories of Signed RPMs = > > Change owner(s): > * Jay Greguske < jgregusk with the usual red hat domain > > > Extend Koji with a new feature that allows users to generate yum > repositories of signed RPMs

F24 Self Contained Change: Koji Generates Repositories of Signed RPMs

2015-12-01 Thread Jan Kurik
= Proposed Self Contained Change: Koji Generates Repositories of Signed RPMs = Change owner(s): * Jay Greguske < jgregusk with the usual red hat domain > Extend Koji with a new feature that allows users to generate yum repositories of signed RPMs. == Detailed Description == This is a significant