Kevin Fenzi wrote: > On Wed, 03 Sep 2008 10:30:39 -0400 > davidsen@xxxxxxx (Bill Davidsen) wrote: [...] >> and then hardest of all find a secure way to provide the public part >> of the signing key. Obviously you don't risk letting someone slip in >> a bogus NEW fake key and go around on this again. > > Indeed. > > The proposed plan (that has since had a few modifications): > http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html Since rpm/yum don't have any method to handle a key revocation, this process is harder than it might otherwise be. As I understand the plan currently, the new key will be included in an updated fedora-release package that will be signed by the old key. This will make the change as transparent as possible for most users and since it is not believed that the old key is compromised at this time, it is reasonably secure. (Insert various caveats regarding the meaning of "reasonably secure" and "not believed ... compromised ..." as needed.) I presume that the new key's fingerprint and other details will be added to https://fedoraproject.org/keys sometime soon and that can be used by those who want a bit more verification of the new key before trusting it. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sanity is the trademark of a weak mind. -- Mark Harrold
Attachment:
pgpeWcDCF7ykq.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines