On 2014-07-07 04:52, Chris St. Pierre wrote:
On Sun, Jul 6, 2014 at 9:42 PM, Mark Mielke <mark.mielke@gmail.com mailto:mark.mielke@gmail.com> wrote:
If you don't believe security is possible... that's fine. Because perfect security is impossible. But, that doesn't mean people shouldn't try. CentOS *does* sign SRPM, do they not? Why do they do this? Obviously, somebody believes this aspect is important?CentOS *produces* the SRPMs. They should sign them -- it verifies that this is the SRPM CentOS built, not something masquerading as such. It makes no guarantee as to the content or provenance of the sources, though, beyond the degree to which we already trust CentOS. Signing the sources is an entirely different matter, since CentOS did not populate them and has no way to verify them independently of the upstream producer. We want a signed tag on the git repo in order to guarantee that these are the sources that upstream provided, not something masquerading as such. A signed tag from CentOS only certifies that these are the sources CentOS *thinks* upstream provided, which really truly is worth fuck-all because the chain of trust was broken by *upstream*.
A signed tag from CentOS would say "this is the content from which we built our SRPM". It wouldn't be "signing the sources" any more than the signing of SRPMs would be. Why would that be bad?
[...] Until then, a signed tag from CentOS just tells us that someone trusted made a change to something untrusted, and the net result is still untrusted because -- say it with me this time -- the chain of trust was broken by *upstream*.
And this would be different for signed (S)RPMs how, exactly?