Why different keys for -testing and non-testing?
Steve Grubb
sgrubb at redhat.com
Sat Jan 17 15:31:06 UTC 2009
On Saturday 17 January 2009 10:19:21 am Douglas E. Warner wrote:
> On 01/16/2009 Jesse Keating wrote:
> > Given that we can't revoke, yes, we plan to use new keys each release.
> > We can use gpg web-o-trust thing and sign the new keys with the old
> > keys and whatnot, does that actually help people?
>
> Why couldn't we revoke keys? Even if RPM itself doesn't have the
> capability, we could have yum periodically check for updates on installed
> keys on keyservers through a plugin, I would imagine.
I have a machine that has been migrated for a long time. It has 9
gpg-pubkey packages installed. Which ones are valid? Why don't they get
retired by obsoletes or something? Could someone use my ancient gpg-pubkeys
as a basis for an attack on repo metadata
(http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html)
and provide an older package with known security holes?
Old keys should be retired. We should also make import of keys an auditable
event.
-Steve
More information about the fedora-devel-list
mailing list