On Sat, Sep 10, 2016 at 23:22:39 -0400, Jeffrey Johnson wrote: > The better patch (headed toward elimination of ???no signature disablers) > is to wrap the tests on the ???query path with > > #if defined(SUPPORT_NOSIGNATURES) > ??? > #endif > > and then rip out the ???nosignature option entirely.
Well, consider I got some unknown.rpm. I do want it to be verified by default during query, however if it happens that signatures do not match I need an option to analyze (potentially malicious) content. For the very beginning, I would check the first possibility - that I simply do not have imported appropriate key. That unknown.rpm might be some 3rd party software downloaded from vendor I do trust in sense of not being malicious, but I do not trust on proper packaging or compatibility (%pre/%post scripts quality, file locations, UIDs/GIDs etc.). So, BEFORE importing the key, I need to inspect this package. As rpm2cpio won't extract the scripts nor show me the site URL pointer, I can't imagine dropping --nosignature option from the --query mode. Then, while installing this particular package, you can't force me to trust GPG key used, as *IN GENERAL* I might NOT TRUST this vendor. The fact, that I'm forced to use some of their software, doesn't meen I ever want to install anything else they've signed. Without --nosignature, I would have to import the key, install package and remove the key. Or, as you've mentioned before, resign the package with my own key, provided there are some REALLY EASY ways of doing it (i.e. single command that generates temporary key and applies it to the package). However, BEFORE resign such package, I need the tool to query the contents and analyze it. Thus, as long as ripping off --nosignature seems to be the right way for Linux distribution, it seems to ignore the existence of 3rd party software that is being used in real world. The usage scenario rpm has to allow: 1. rpm -qp unknown.rpm -> signature verification failed, 2. rpm -qpilv --scripts --nosignature unknown.rpm -> analyze 3. rpm2cpio ... -> content analyze IF required (trusting the vendor) 3. rpm --resign unknown.rpm (not with MY key, but some generated) 4. rpm -i unknown.rpm Consider web browsers - with Let's Encrypt initiative I can imagine, that in several years some would start to disable various functions over non-secure channels (e.g. cookies and POST over HTTP). As this is gradual process with huge userbase behind, it can crawl towards HTTPS-only forcing web service providers to adjust. However, with relatively small rpm userbase (as a part of relatively small Linux users), with even less users of 3rd party software, you can't expect providers would adapt. And that's apart from the trust issue I've mentioned above (that I do NOT trust them in general, just have to use SOME of their sw). -- Tomasz Pala <[email protected]> _______________________________________________ pld-devel-en mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
