Time to resurrect multi-key signatures in RPM?
Casimiro de Almeida Barreto
casimiro.barreto at gmail.com
Mon Sep 1 09:48:19 UTC 2008
Bill Crawford escreveu:
> On 30/08/2008, Bojan Smojver <bojan at rexursive.com> wrote:
>
>
>> Just for completeness, yum could alternatively accept say 5 keys from the
>> pool
>> (but no Fedora key), so that any compromise of the central key does not
>> cause
>> the current "change the Fedora key" hoopla. Simply resign by others and
>> continue.
>>
>
> What might be good, is only signing packages with one or two keys, but
> only allowing those keys' public parts to be updated in rpm database
> (or wherever) if signed by a much larger number of keys, which would
> be owned by some trusted people from the fedora project. Then
> automated rollover could be done by simply providing a new "keyring"
> in updates.
>
>
BTW, updates are still frozen. What's the schedule for the normalization
of yum services? Will it be necessary a special procedure to be adopted
by users?
Best regards,
CdAB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080901/b5545c13/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080901/b5545c13/attachment.sig>
More information about the fedora-devel-list
mailing list