Martin Schrvder wrote:
2008/12/17 Marc Espie <[email protected]>:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base. :-{
Errr, no, PGP doesn't provide the *process* of key protection. It
provides some tools that are useful in the process, but the process and
systems themselves are what protects e.g. the gpg private key used to
sign packages.
Like Marc said, signing packages when the process doesn't protect the
integrity of the signatures, the source used to compile the binaries
that are signed, and the binaries themselves, you are providing a
misleading sense of security instead of an actual benefit.
An example of the difference:
http://rhn.redhat.com/errata/RHSA-2008-0855.html
--
Matthew Weigel
hacker
unique & idempot . ent
