On 07/07/2014 09:22 AM, Elias Persson wrote:
A signed tag from CentOS would say "this is the content from which we built our SRPM". It wouldn't be "signing the sources" any more than the signing of SRPMs would be. Why would that be bad?
but an srpm has more than whats in git, and we cant know what we are going to release, till the code is built, qa'd and passed release testing etc. so signing a commit will always be an after thought.
also, putting distro keys on developer laptops and circulating them around town isnt a nice thing, expand that with increasing contributor base who are able to branch and build their own content into SIG's etc, and you dramatically expand that problem base.
[...] Until then, a signed tag from CentOS just tells us that someone trusted made a change to something untrusted, and the net result is still untrusted because -- say it with me this time -- the chain of trust was broken by *upstream*.
And this would be different for signed (S)RPMs how, exactly?
an SRPM is a reproduceable build source, comprehensive and includes build time metadata. this will match back to delivered buildlogs result that can be mapped, using the timestamp, to the exact environment it was built in.
A git tag would mostly just indicate what spec was used, and would come after the event, with no validation on what content changed under and around the hood by the time this code was released.
Two very different things.