1:42 p.m.
Hiyas,
I just wondered how the RPM packages from Fedora used in RPMFusion
buildroots are verfied on the RPMFusion builders. Fedora uses direct
access to the RPM packages via a secure channel afaik, but since
RPMFusion does not use Fedora infrastructure, this seems not to be
possible. Also I did not found the typical RPM message about importing
the GPG key that is usually displayed on my local mock builds in the
RPMFusion build roots. Therefore I fear that the RPMs are not verified
at all, but please don't let this be true.
Regards
Till
2:19 p.m.
Till Maas wrote:
Hiyas,
I just wondered how the RPM packages from Fedora used in RPMFusion
buildroots are verfied on the RPMFusion builders. Fedora uses direct
access to the RPM packages via a secure channel afaik, but since
RPMFusion does not use Fedora infrastructure, this seems not to be
possible. Also I did not found the typical RPM message about importing
the GPG key that is usually displayed on my local mock builds in the
RPMFusion build roots. Therefore I fear that the RPMs are not verified
at all, but please don't let this be true.
mock typically does not verify keys (making the assumption that the
repos used internally are generally trusted implicitly).
-- Rex
10:23 p.m.
On Wed, Jan 13, 2010 at 08:19:21AM -0600, Rex Dieter wrote:
mock typically does not verify keys (making the assumption that the
repos used internally are generally trusted implicitly).
Afaik, the default configuration of mock is to use it only on machines
very trustworthy people have access (i.e. anyone can acquire root) and
use it only to build throw-away or test packages, that are not intended
to be used on systems with security sensitive data. The default
configuration does not use any internal repos, but the default Fedora
repositories.
Regards
Till
8:57 a.m.
Hiyas,
On Wed, Jan 13, 2010 at 02:42:26PM +0100, Till Maas wrote:
I just wondered how the RPM packages from Fedora used in RPMFusion
buildroots are verfied on the RPMFusion builders. Fedora uses direct
access to the RPM packages via a secure channel afaik, but since
RPMFusion does not use Fedora infrastructure, this seems not to be
possible. Also I did not found the typical RPM message about importing
the GPG key that is usually displayed on my local mock builds in the
RPMFusion build roots. Therefore I fear that the RPMs are not verified
at all, but please don't let this be true.
except for a answer about the default mock config, there was no reply to
this within two weeks. So I conclude that they are very likely not
verified and nobody cares, thats bad. :-(
Regards
Till
5:43 p.m.
--- On Mon, 2/1/10, Till Maas <opensource(a)till.name> wrote:
From: Till Maas <opensource(a)till.name>
Subject: Re: How are Fedora RPM packagess verified in RPMFusion buildsys?
To: "RPM Fusion developers discussion list"
<rpmfusion-developers(a)lists.rpmfusion.org>
Date: Monday, February 1, 2010, 3:57 AM
Hiyas,
On Wed, Jan 13, 2010 at 02:42:26PM +0100, Till Maas wrote:
> I just wondered how the RPM packages from Fedora used
in RPMFusion
> buildroots are verfied on the RPMFusion builders.
Fedora uses direct
> access to the RPM packages via a secure channel afaik,
but since
> RPMFusion does not use Fedora infrastructure, this
seems not to be
> possible. Also I did not found the typical RPM message
about importing
> the GPG key that is usually displayed on my local mock
builds in the
> RPMFusion build roots. Therefore I fear that the RPMs
are not verified
> at all, but please don't let this be true.
except for a answer about the default mock config, there
was no reply to
this within two weeks. So I conclude that they are very
likely not
verified and nobody cares, thats bad. :-(
Regards
Till
Thank you for your concern. I honestly don't know the answer to your question.
I'm not an official contributor to either Fedora or RPMFusion, just read the list to
keep up with package progress. I do know that unlike Fedora, which has a lot of Red Hat
Employees putting things together and keeping things moving, this is a volunteer project,
and things do tend to move VERY slowly. I've seen review requests that sit for months.
I'm sure someone here does know for sure, but it may take some time. Also, the
"Leadership" structure of this project might be in a state of flux, as some
changed in how the project is lead have been brought up. The point being is to please
remain patient, and someone will be able to answer your question.
Regards,
John
8:57 p.m.
On 2010/02/01 3:57 AM, Till Maas wrote:
Hiyas,
On Wed, Jan 13, 2010 at 02:42:26PM +0100, Till Maas wrote:
> I just wondered how the RPM packages from Fedora used in RPMFusion
> buildroots are verfied on the RPMFusion builders. Fedora uses direct
> access to the RPM packages via a secure channel afaik, but since
> RPMFusion does not use Fedora infrastructure, this seems not to be
> possible. Also I did not found the typical RPM message about importing
> the GPG key that is usually displayed on my local mock builds in the
> RPMFusion build roots. Therefore I fear that the RPMs are not verified
> at all, but please don't let this be true.
except for a answer about the default mock config, there was no reply to
this within two weeks. So I conclude that they are very likely not
verified and nobody cares, thats bad. :-(
I would bet that a more likely conclusion is that few people have access to
the buildsys, and those that do are very busy ;)
10:07 p.m.
On Mon, Feb 1, 2010 at 3:57 PM, Stewart Adam <maillist(a)diffingo.com> wrote:
On 2010/02/01 3:57 AM, Till Maas wrote:
>
> Hiyas,
>
> On Wed, Jan 13, 2010 at 02:42:26PM +0100, Till Maas wrote:
>
>> I just wondered how the RPM packages from Fedora used in RPMFusion
>> buildroots are verfied on the RPMFusion builders. Fedora uses direct
>> access to the RPM packages via a secure channel afaik, but since
>> RPMFusion does not use Fedora infrastructure, this seems not to be
>> possible. Also I did not found the typical RPM message about importing
>> the GPG key that is usually displayed on my local mock builds in the
>> RPMFusion build roots. Therefore I fear that the RPMs are not verified
>> at all, but please don't let this be true.
>
> except for a answer about the default mock config, there was no reply to
> this within two weeks. So I conclude that they are very likely not
> verified and nobody cares, thats bad. :-(
I would bet that a more likely conclusion is that few people have access to
the buildsys, and those that do are very busy ;)
Indeed they are. Just took a quick look at my own builder (which I
didn't actually set up, but I have access to). It isn't set to check
gpg sigs on packages. But it only pulls packages from known/trusted
mirrors (i.e., my own local one and the main rpmfusion ones).
--
Jarod Wilson
jarod(a)wilsonet.com
5407
days inactive
5426
days old
rpmfusion-developers@lists.rpmfusion.org
6 comments
5 participants
participants (5)
-
Jarod Wilson -
John Arntz -
Rex Dieter -
Stewart Adam -
Till Maas