[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

[Elias Persson]

On 2014-07-07 04:52, Chris St. Pierre wrote:
> On Sun, Jul 6, 2014 at 9:42 PM, Mark Mielke <mark.mielke at gmail.com
> <mailto:mark.mielke at gmail.com>> wrote:
>
>     If you don't believe security is possible... that's fine. Because
>     perfect security is impossible. But, that doesn't mean people
>     shouldn't try. CentOS *does* sign SRPM, do they not? Why do they do
>     this? Obviously, somebody believes this aspect is important?
>
>
> CentOS *produces* the SRPMs.  They should sign them -- it verifies that
> this is the SRPM CentOS built, not something masquerading as such.  It
> makes no guarantee as to the content or provenance of the sources,
> though, beyond the degree to which we already trust CentOS.
> Signing the sources is an entirely different matter, since CentOS did
> not populate them and has no way to verify them independently of the
> upstream producer.  We want a signed tag on the git repo in order to
> guarantee that these are the sources that upstream provided, not
> something masquerading as such.  A signed tag from CentOS only certifies
> that these are the sources CentOS *thinks* upstream provided, which
> really truly is worth fuck-all because the chain of trust was broken by
> *upstream*.
>

A signed tag from CentOS would say "this is the content from
which we built our SRPM". It wouldn't be "signing the sources"
any more than the signing of SRPMs would be. Why would that be
bad?

> [...]  Until then, a signed tag from CentOS just tells
> us that someone trusted made a change to something untrusted, and the
> net result is still untrusted because -- say it with me this time -- the
> chain of trust was broken by *upstream*.

And this would be different for signed (S)RPMs how, exactly?