[OM Cooker] Trusted RPM packages
Jeff Johnson
n3npq at mac.com
Mon Jan 18 06:43:08 EST 2016
On Jan 18, 2016, at 5:56 AM, Jeff Johnson wrote:
>>
>> I do not understand what non-repudiable means :(
>>
>
> Apologies for the techno jargon (but I am reluctant to invent newer! better! bestest! terms)
>
> A repudiation is a statement denying some claim like this:
> Q: Did you modify anything in the package?
> A: No.
>
> So a non-repudiable signature is a public/global assertion that nothing whatsoever is changed.
Here is perhaps a better (i.e. more explicit) example of repudiation(s):
Claim: My machine was rooted by installing a *Mandriva rpm package from this mirror.
Repudiation #1: That package wasn't downloaded from this mirror.
Repudiation #2: That is not a *Mandriva package because its not signed with a Mandriva key.
Repudiation #3: That is not a package produced by rpm because (various reasons, like the
package might have been altered after being built).
By including a non-repudiable signature, #3 provides a stronger/transparent mechanism that a
package was not altered after being built.
By registering a manifest with virtual-notary, *Mandriva would be providing some means to resolve
the issues associated with #1 and #2, and avoiding issues related to "official" key compromises.
hth
73 de Jeff
More information about the OM-Cooker
mailing list