On Mon, 13 Apr 2009 08:30:35 -0400, Todd wrote: > Bram_Gro wrote: > > It will be appreciated if all the checksums of future releases are > > signed with a up-to-date version of GPG. There are currently some > > files, including all of the Fedora 11 releases that are signed with > > a out-of-date version of Gnupg 1.4.5 from 2006, instead of the > > latest 1.4.9. I don't know if any potential security issue is > > related to this practice, but there is quite a large list of > > security problems between 1.4.5 and 1.4.9. > > You're presuming that the gnupg used is an unpatched version. More > likely, it's the version shipped by RHEL, which has any known security > fixes backported. I don't think there's anything to worry about here. ??? What do vulnerabilities in GnuPG have to do with the signatures? Why don't you use 1.4.9 to verify those signatures? -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
