Ed Greshko wrote:
Ed Greshko wrote:
It would be very nice if someone would fully define what they mean by
the very vague term "fake key".
In this context it would one that a user would install that was not the
one officially created for the packages in the fedora repository.
And along with that, define the method used to distribute said key in a
manner that would be oblivious to the all end users.
It doesn't have to fool all the end users, just you. Or someone with
content worth stealing, or on a network worth penetrating.
It has to be
oblivious to all end users such that nobody would be able to raise an
alarm in a reasonable amount of time.
What's a reasonable amount of time? A victim would notice if/when they
manage to get an official RPM that the key doesn't match (unless their
subverted packages remove the check) and might or might not do something
besides import the correct key.
If the public/private key methods employed today are as easy to
penetrate and subvert as some seem to be claiming then one has to
question why it hasn't already been done.
It's not easy to fool everyone. The question is whether there is a way
to start from scratch so you can't fool anyone.
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
