Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ed Greshko wrote:

What's the point of having the key at all if you implicitly trust the
delivery mechanism of the RPM packages?
Good approach, answer a question with another question.

If you can't say why you need the key in the first place, there isn't
much hope of seeing why you need a different reason to trust the key
than the content it verifies.

Bzzzzttt...  Wong!  You are attacking the current system and it is
incumbent on you to prove your points.

I'm not sure there is a 'current system', but if you mean the plan to use the old key validation for the installation of a package containing the new one and the new repo locations, I don't have a better suggestion.

I can't help but to see the irony in that those clamoring for "explicit
details" from the Fedora folks as to the nature, methods, damage
inflicted on the Fedora infrastructure are so devoid of details on how
their attack vector would work.  Their scenario amounts to...generate a
fake key pair, fool people in accepting it, sign compromised packages,
fool people into downloading and installing them...take over their systems.

I'm sure there are people capable of that - but in the planned scenario the same person has to also possess the old signing key.

--
  Les Mikesell
   lesmikesell@xxxxxxxxx

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux