Using out-of-date GPG to sign Fedora releases...
Michael Schwendt
mschwendt at gmail.com
Mon Apr 13 14:49:44 UTC 2009
On Mon, 13 Apr 2009 08:30:35 -0400, Todd wrote:
> Bram_Gro wrote:
> > It will be appreciated if all the checksums of future releases are
> > signed with a up-to-date version of GPG. There are currently some
> > files, including all of the Fedora 11 releases that are signed with
> > a out-of-date version of Gnupg 1.4.5 from 2006, instead of the
> > latest 1.4.9. I don't know if any potential security issue is
> > related to this practice, but there is quite a large list of
> > security problems between 1.4.5 and 1.4.9.
>
> You're presuming that the gnupg used is an unpatched version. More
> likely, it's the version shipped by RHEL, which has any known security
> fixes backported. I don't think there's anything to worry about here.
??? What do vulnerabilities in GnuPG have to do with the signatures?
Why don't you use 1.4.9 to verify those signatures?
More information about the fedora-list
mailing list