On Wed, Jun 25, 2008 at 11:55 PM, Tim Mooney <Tim.Mooney@ndsu.edu> wrote:

> In regard to: Re: rpm3 package still exist, devzero2000 said (at 10:56pm
> on...:
>
>  I can sign the document i wrote. I can sign document, written by other, on
>> which i have control, can update, verify the quality or, almost, i have
>> trust. If i have to sign document,  which i have paid and not have
>> control,
>> weel, i am crazy or silly. It is as i have to sign m$ software. Only for
>> distribute it.
>>
>> So the digital signature became a joke. And i not like this.
>>
>
> I'm not saying you're wrong, but look at it this way:  any time you accept
> a package (whether it's an RPM on Linux or a "setup.exe" on Windows) from
> a vendor and you install it on your system, you're placing a significant
> amount of trust in that vendor.
>
> If you sign a package for distribution via your software distribution
> mechanism (maybe it's yum, maybe it's Red Hat Satellite, maybe it's
> something different), you're not say that you wrote the software and that
> you vouch for the quality of the software: you're saying that you obtained
> the software from the vendor.  You're vouching for its provenance, not
> its quality


rpm5, da some years in effect. has exactly the function for the vendor to
vouch, via crypto methods and not for assertion, for  provenance and
integrity for the software they do: the signature probe e.g. for example

Summary: A GNU file archiving program
Name: tar
Epoch: 2
Version: 1.17
Release: 7%{?dist}
License: GPLv2+
Group: Applications/Archiving
URL: http://www.gnu.org/software/tar/
Source0: ftp://ftp.gnu.org/pub/gnu/tar/tar-%{version}.tar.gz
Source1: ftp://ftp.gnu.org/pub/gnu/tar/tar-%{version}.tar.gz.sig
Source2: tar.1
Source3: sergey.gpg
..................
#################################################################
# Here we verify the tarball (SOURCE0) using the signature (SOURCE1),
# public key (SOURCE3), and the fingerprint of the public keys
# e.g:
#   gpg --list-keys --fingerprint
###################################################################
BuildRequires:   signature(%{SOURCE0}:%{SOURCE1}) =
%{SOURCE3}:325F650C4C2B6AD58807327A3602B07F55D0C732

Anyway i think that this can be an example of use.

If and when they begin to use rpm5(or rpm6 ecc), perhaps on 2100, they can
use this. In the meantime. i live happy -  more or less - to confine, YES
"confine",  this  packages in a specific yum repo - with the hope that
someday i can live finally without them.

[commercial-base]
name=commercial $releasever - $basearch - Base
baseurl=
http://vendor.example.com/yumrepo/core/$releasever/$basearch/commercial
#####################
# XXX no digital
# signature from the vendor
# They give me, face to face, in my hands. Hope the best
#####################
failovermethod=priority
enabled=1
gpgcheck=0    <----- ###################

(aside) Satellite have oracle (and the RH rpm) in it (iirc) : do you know if
RH sign oracle RPM ? sure probabily they do but i don't know.
So depend on POV.

Thank for your reply.