Re: F8/F9 updates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rahul Sundaram <sundaram <at> fedoraproject.org> writes:
> Since Fedora has changed its key now, new pushes requires packages to be 
> (re)signed with the new key. Release engineering is still working out 
> the details with Fedora Engineering Steering Committee.

IMHO it would be much safer to push them out with the old key (I sure hope the 
private key was kept around somewhere - it's also needed to generate 
revocations!) in the meantime than not to push any updates at all. Some of 
those updates are security updates, not pushing them effectively means the 
intruder was successful at DoSing our flow of security updates and rendering 
target systems vulnerable. I consider the threat of not applying security 
updates to be much higher than the threat of a potentially compromised (*) 
signature: many people install completely unsigned packages, e.g. "I just 
fetched build $nevr from Koji", Rawhide packages, third-party packages with no 
signature (even from servers where it isn't clear whether they can be trusted); 
people also import signing keys from many third-party repositories whose 
security practices (or even whose own trustworthiness) are not controlled by 
the Fedora Project.

(*) (even not taking into account the fact that the signing key probably wasn't 
actually compromised in the first place according to the announcement)

        Kevin Kofler

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux