Fedora 8 and 9 updates re-enabled
Jonathan Underwood
jonathan.underwood at gmail.com
Wed Sep 10 16:00:52 UTC 2008
2008/9/10 Paul Wouters <paul at xelerance.com>:
> On Tue, 9 Sep 2008, Jesse Keating wrote:
>
>> Most users will simply need to apply the offered updates, and later
>> apply any further updates, and verify/import the new GPG key.
>
>> For more details and an FAQ, please see
>> https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key
>
> One question I don't see answered is whether the upgrade system purges
> the trust on the old key from our systems after verification of the new
> key. Otherwise, some DNS or wifi hack in the future could lead me to
> a false update site using the old compromised key and my system would
> still install those updates.
>
>From the original notification:
"There will be further milestones in the future that involve redirection
of release package repos to match that of updates, and removing of old
gpg key from rpm trust."
i.e. at this point the old key is not purged, but it will be in the
future. Since the resigned repos of the fedora repo are not yet
activated (only the updates-newkey is activated), the old key is still
required to install software. That's my reading of the notice, anyhow.
More information about the fedora-devel-list
mailing list