[OM Cooker] Trusted RPM packages

Jeff Johnson n3npq at mac.com
Mon Jan 18 06:43:08 EST 2016


On Jan 18, 2016, at 5:56 AM, Jeff Johnson wrote:

>> 
>> I do not understand what non-repudiable means :(
>>  
> 
> Apologies for the techno jargon (but I am reluctant to invent newer! better! bestest! terms)
> 
> A repudiation is a statement denying some claim like this:
> 	Q: Did you modify anything in the package?
> 	A: No.
> 
> So a non-repudiable signature is a public/global assertion that nothing whatsoever is changed.

Here is perhaps a better (i.e. more explicit) example of repudiation(s):

	Claim:			My machine was rooted by installing a *Mandriva rpm package from this mirror.
	Repudiation #1:	That package wasn't downloaded from this mirror.
	Repudiation #2:	That is not a *Mandriva package because its not signed with a Mandriva key.
	Repudiation #3:	That is not a package produced by rpm because (various reasons, like the
		package might have been altered after being built).

By including a non-repudiable signature, #3 provides a stronger/transparent mechanism that a
package was not altered after being built.

By registering a manifest with virtual-notary, *Mandriva would be providing some means to resolve
the issues associated with #1 and #2, and avoiding issues related to "official" key compromises.

hth

73 de Jeff




More information about the OM-Cooker mailing list