Using out-of-date GPG to sign Fedora releases...
Bram_Gro
Bram_Gro at lavabit.com
Mon Apr 13 10:23:14 UTC 2009
Hi,
It will be appreciated if all the checksums of future releases are
signed with a up-to-date version of GPG. There are currently some files,
including all of the Fedora 11 releases that are signed with a
out-of-date version of Gnupg 1.4.5 from 2006, instead of the latest
1.4.9. I don't know if any potential security issue is related to this
practice, but there is quite a large list of security problems between
1.4.5 and 1.4.9.
Some examples:
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Fedora/x86_64/iso/SHA1SUM
Gnupg 1.4.9
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Live/x86_64/SHA1SUM
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/test/11-Beta/Live/x86_64/F11-Beta-x86_64-Live-KDE-CHECKSUM
Bram.
More information about the fedora-list
mailing list