Secrecy and user trust
Bill Davidsen
davidsen at tmr.com
Wed Sep 3 14:30:39 UTC 2008
Anders Karlsson wrote:
> * Travis Arnold <vestwearingpunk at gmail.com> [20080902 22:52]:
> [drivel snipped]
>> Hey I am currently downloading the ISO dvd to install after I finish my
>> day's lessons, is this not a good idea to do?
>
> The word from the Fedora folks on Aug 14th was - don't update until
> further notice. Since then, they have - IIRC - said it's safe to do
> so. The ISO's should be safe, as well as the packages that you can
> update to from the servers.
>
> New updates should start rolling once they have resigned everything.
>
Distributing that will be quite slow, since they need to (a) validate,
then (b) sign, then (c) distribute out-of-band to mirrors, and then
hardest of all find a secure way to provide the public part of the
signing key. Obviously you don't risk letting someone slip in a bogus
NEW fake key and go around on this again.
Suggestion: since the livna key is still secure (AFAIK) let them
distribute the new Fedora key and sign the RPM.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list