Re: [Fedora-legal-list] Hosting Fedora cloud images

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/28/2013 03:48 AM, Richard W.M. Jones wrote:

(5) Digital signatures: Currently virt-builder requires all indexes
and images to be signed by yours truly unless you go through an
involved process described here:

http://libguestfs.org/virt-builder.1.html#setting-up-a-gpg-key

We need to fix this, but key management is a non-trivial problem,
since we cannot host the public key in the same place as the index &
images (an attacker could replace both the images & key at the same
time).  What's the strategy going to be for signing these cloud images?

Hmmm, you do indeed have to be very careful with the private key, but as stated this problem didn't make much sense to me, you host the key on a keyserver and you don't have a replacement problem for /public/ key.

Passing around the private key for doing the signing is certainly a tricky problem.


_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux