https://koji.fedoraproject.org is signed with an unknown certificate (extras64.linux.duke.edu)
Till Maas
opensource at till.name
Mon Oct 15 16:21:40 UTC 2007
On Monday 15 October 2007 00:32:40 Mike McGrath wrote:
> This isn't actually causing any practical problems so I've been ignoring
There are practical problems, e.g. the unsigned rpms from koji are not
accessible in a trusted way, which they would be if there was are certificate
that can be verified.
> it. As far as man in the middle attack... someone will think they've
> submitted a build but haven't? either way I'll submit a purchase
Maybe there can be only little harm done in a mitm attack against koji. But
why should a use wonder when he gets an "bad" certificate for
admin.fedoraproject.org? He already knows this from his experience with
koji.fedoraproject.org, so this seems to be normal for Fedora for him and he
may just accept the bad certificate.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20071015/8ccc0c20/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list