On Sun, Jul 6, 2014 at 9:04 PM, Chris St. Pierre < chris.a.st.pierre@gmail.com> wrote:
There's been a lot of discussion on this, which is surprising given that this is the wrong place for it. Maybe next we can discuss how to improve AutoYAST or IIS.
Some people seem to have forgotten that CentOS, despite the recent change in employment status of several of its core members, is the *downstream* rebuilder. They get their sources via git.centos.org from a prominent North American Linux reseller, just like the rest of us.
Read that again: CentOS is not special. They are *consumers* of the sources, not the producers.
You have some interesting points... but, this discussion is just as important for consumers as for producers, and CentOS is both a consumer *and* a producer, as are many other downstream distros based upon upstream distros.
If you don't believe security is possible... that's fine. Because perfect security is impossible. But, that doesn't mean people shouldn't try. CentOS *does* sign SRPM, do they not? Why do they do this? Obviously, somebody believes this aspect is important?
It seems like some people just want to do what they're already doing (for better or for worse) and it doesn't really matter what the request is, or the merit of the request. Which is fine... but just please admit to it.
So if CentOS pushed a zillion signed tags to git.centos.org, that'd only mean that CentOS trusts those sources. If, as Nico suggested, git.centos.org was pwned, then CentOS just certified bogus sources. IOW, a signed tag from Jim, or Johnny, or KB, or any of the other CentOS devs means precisely fuck-all, and not a bit more, because they get the sources through the EXACT SAME distribution channel that the rest of us do. CentOS is not special, they just look that way. Really, if this is the assurance you want, just add your own signed tags to your local repo -- it's just as meaningful.
What do we want? FUCK-ALL! When do we want it? NOW!
You are right about "just add your own signed tags". Actually, everybody who derives should sign what their derived works. That makes it possible to track back if or when something bad does happen, and we can see where the problem was introduced. So RedHat should sign their tags, and CentOS should sign any tags that they create. It's not "FUCK-ALL"... It's evidence that a particular process was followed that was approved by a particular person. It's a paper trail that is more difficult to forge. It's not different from a signature on a form authorizing a change. Yes they can be forged... but that doesn't mean that "no signature" is better than "signature that can theoretically be forged".
If you want *actual* cryptographic assurance that the sources you're grabbing from git.centos.org are the same sources pushed there by the *upstream* vendor, maybe, just maybe, you should ask that upstream vendor. Otherwise it's just garbage in, garbage out, and they're only certifying that the sources you download match the sources someone else downloaded. I guess misery loves company, but that sure doesn't seem helpful.
Yes, the upstream vendor should be asked. That doesn't really add or remove merit to CentOS signing any tags that CentOS creates.
I'll warn you, though, since the specter of the all-powerful NSA was raised: they already have Red Hat's signing keys. And yours, too.
They might... but it really sounds like you are saying that because it is possible for NSA to get past any security, therefore no security makes perfect sense. It sounds like extending your thinking would conclude that signing the SRPM is also useless. And for this... if you really do think this... I think you are quite wrong.