F8/F9 updates

Kevin Kofler kevin.kofler at chello.at
Tue Aug 26 23:06:09 UTC 2008


Rahul Sundaram <sundaram <at> fedoraproject.org> writes:
> Since Fedora has changed its key now, new pushes requires packages to be 
> (re)signed with the new key. Release engineering is still working out 
> the details with Fedora Engineering Steering Committee.

IMHO it would be much safer to push them out with the old key (I sure hope the 
private key was kept around somewhere - it's also needed to generate 
revocations!) in the meantime than not to push any updates at all. Some of 
those updates are security updates, not pushing them effectively means the 
intruder was successful at DoSing our flow of security updates and rendering 
target systems vulnerable. I consider the threat of not applying security 
updates to be much higher than the threat of a potentially compromised (*) 
signature: many people install completely unsigned packages, e.g. "I just 
fetched build $nevr from Koji", Rawhide packages, third-party packages with no 
signature (even from servers where it isn't clear whether they can be trusted); 
people also import signing keys from many third-party repositories whose 
security practices (or even whose own trustworthiness) are not controlled by 
the Fedora Project.

(*) (even not taking into account the fact that the signing key probably wasn't 
actually compromised in the first place according to the announcement)

        Kevin Kofler




More information about the fedora-list mailing list