Packaging chain

It would be relatively easy to physically separate the system used for signing packages, so that no network access is possible (i.e. backup built packages to a medium, take it to the signing machine, sign, backup again, put into repository). Sure, this would make things slower, but even now there is quite a delay between building a new package in koji and having it available in the repo. But that would only deal with half the problem.

If the build system gets compromised (which is used by _many_), it may be all over too. In such a case you would have legitimate signers signing packages that are no good. I guess having a disconnected replica of the build system may be a solution, where all built packages destined to land in updates would be rebuilt for verification, but that would be quite complicated and expensive to do.

Of course, all the above would assume that Fedora contributors themselves are not subverting the system (knowingly or not). Maybe the real solution is to actually use this potential vulnerability to create more protection, by requiring certain number of contributors to sign all packages with their own private keys before they are considered valid. In such a scenario, attackers would have to compromise many private keys owned by many different people in order to have an effect. And these signers would have an opportunity to verify that the builds are correct, by performing their own.