On Monday 15 October 2007 00:32:40 Mike McGrath wrote: > This isn't actually causing any practical problems so I've been ignoring There are practical problems, e.g. the unsigned rpms from koji are not accessible in a trusted way, which they would be if there was are certificate that can be verified. > it. As far as man in the middle attack... someone will think they've > submitted a build but haven't? either way I'll submit a purchase Maybe there can be only little harm done in a mitm attack against koji. But why should a use wonder when he gets an "bad" certificate for admin.fedoraproject.org? He already knows this from his experience with koji.fedoraproject.org, so this seems to be normal for Fedora for him and he may just accept the bad certificate. Regards, Till
Attachment:
signature.asc
Description: This is a digitally signed message part.
