Where does the RHEL 7 source code live?

Posted Jul 3, 2014 22:27 UTC (Thu) by dowdle (subscriber, #659)
In reply to: Where does the RHEL 7 source code live? by jcpunk
Parent article: Where does the RHEL 7 source code live?

Your contention is... what if someone bad gets root? That's always an issue with everything. What if someone gets root at Red Hat and could sign the packages?

Where does the RHEL 7 source code live?

Posted Jul 4, 2014 0:21 UTC (Fri) by jcpunk (subscriber, #95796) [Link] (2 responses)

I'm afraid I disagree with your summary of my position.

Are you in agreement with the various steps within the argument? Do you take exception with any aspects?

To further press the issue: since it is logically possible to steal the Red Hat signing key, should we therefore sign nothing since the SHA sums are posted on RHN?

The currentgit.centos.org repos take roughly that approach.

Where does the RHEL 7 source code live?

Posted Jul 4, 2014 3:41 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (1 responses)

Why is it logically possible to steal the Red Hat key?

Where does the RHEL 7 source code live?

Posted Jul 4, 2014 21:13 UTC (Fri) by dag- (guest, #30207) [Link]

I would contend that for Red Hat the signing key is business critical, but the git.centos.org repository is not. So no doubt the key is well secured, and the process to sign packages is well protected as it would hurt their business and harm the trust customers have in them. git.centos.org not so much.

What's more, git.centos.org has (the same and) more attack vectors than the signing key/SRPMs used to have. So overall it is less secure as the previous way of working (which was the same for customers as it was for everyone else).

Where does the RHEL 7 source code live?

Posted Jul 10, 2014 20:29 UTC (Thu) by boklm (guest, #34568) [Link]

That is not the same. Securing a public facing server that host git repositories is difficult.

Securing a server on a private network that is only used to sign packages should be easier.