RPM Community Forums

Mailing List Message of <rpm-devel>

Re: rpm3 package still exist

From: Tim Mooney <Tim.Mooney@ndsu.edu>
Date: Wed 25 Jun 2008 - 23:55:53 CEST
Message-ID: <Pine.SOL.4.64.0806251644480.17338@dogbert.cc.ndsu.NoDak.edu> 
In regard to: Re: rpm3 package still exist, devzero2000 said (at 10:56pm on...:

> I can sign the document i wrote. I can sign document, written by other, on
> which i have control, can update, verify the quality or, almost, i have
> trust. If i have to sign document,  which i have paid and not have control,
> weel, i am crazy or silly. It is as i have to sign m$ software. Only for
> distribute it.
>
> So the digital signature became a joke. And i not like this.

I'm not saying you're wrong, but look at it this way:  any time you accept
a package (whether it's an RPM on Linux or a "setup.exe" on Windows) from
a vendor and you install it on your system, you're placing a significant
amount of trust in that vendor.

If you sign a package for distribution via your software distribution
mechanism (maybe it's yum, maybe it's Red Hat Satellite, maybe it's
something different), you're not say that you wrote the software and that
you vouch for the quality of the software: you're saying that you obtained
the software from the vendor.  You're vouching for its provenance, not
its quality.

By vouching for its provenance, you can now easily distribute this
software via your software distribution method to whatever systems should
have it.  If "whatever systems should have it" == 10,000 systems, isn't
it better to distribute it easily via your software distribution method
than to do it the hard way?  Either way, the software gets installed on
the system.  You're in no worse position by having signed it for
internal distribution than you are if you hadn't.

There's also no danger that some third party might see your signature on
an RPM and take that as a sign that you're vouching for the quality of
the software, because all of the vendors that we're talking about as part
of this discussion, that are still using rpm 3.0.x, have legal
restrictions on redistributing the software you've obtained from them.

Tim
-- 
Tim Mooney                                        Tim.Mooney@ndsu.edu
Information Technology Services                   (701) 231-1076 (Voice)
Room 242-J6, IACC Building                        (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Received on Wed Jun 25 23:56:47 2008
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.