[katello-devel] GPG keys - proposed solution
Bryan Kearney
bkearney at redhat.com
Tue Nov 22 13:29:42 UTC 2011
On 11/22/2011 02:16 AM, Ohad Levy wrote:
>
>
> ----- Original Message -----
> | On 11/16/2011 03:44 AM, Ohad Levy wrote:
> |> now, my question is concerned security:
> |> pulp trust the repo based of the ssl cert, and the client trust the
> |> packages based on the gpg key (and ssl), however, in this case, if
> |> someone was to hijack the repo, he could replace the gpg key as
> |> well (meaning ssl certs is all that is required), does anyone see
> |> an issue with that?
> |
> | What if the gpgkey was in another location, not tied to the repo?
> | Then
> | they would need to hikjack both. Would that be better?
> |
> I guess what we could do, is to keep the gpg key within katello (and not the url itself), this would allow the user to upload the gpg key for his custom repo and subscription-manager(?) to fetch it from katello when configuring yum.
>
>
> Ohad
I dont know if htis is correct.. just a n idea.
-- bk
More information about the katello-devel
mailing list