Using out-of-date GPG to sign Fedora releases...
Todd Zullinger
tmz at pobox.com
Mon Apr 13 12:30:35 UTC 2009
Bram_Gro wrote:
> It will be appreciated if all the checksums of future releases are
> signed with a up-to-date version of GPG. There are currently some
> files, including all of the Fedora 11 releases that are signed with
> a out-of-date version of Gnupg 1.4.5 from 2006, instead of the
> latest 1.4.9. I don't know if any potential security issue is
> related to this practice, but there is quite a large list of
> security problems between 1.4.5 and 1.4.9.
You're presuming that the gnupg used is an unpatched version. More
likely, it's the version shipped by RHEL, which has any known security
fixes backported. I don't think there's anything to worry about here.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cover a war in a place where you can't drink beer or talk to a woman?
Hell no!"
-- Hunter S. Thompson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090413/332a774b/attachment-0001.sig>
More information about the fedora-list
mailing list