-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, over five years ago vulnerabilities in Fedora's (and others) package managers [1] have been presented at USENIX. And even though yum supports repo_gpgcheck since 2008 [2] Fedora still does not make use of it to protect the repo metadata. Are there specific reasons why Fedora still does not sign its repo metadata to prevent metadata manipulation attacks (i.e. "hiding" updates)? The LWN article from 2009 somehow hinted that it was about to be enabled in Fedora 11? [1] I filed a bug against fedora-release (covering the missing repo_gpgcheck in fedora.repo) [3]. Which component would I file the missing repomd.xml.asc (on fedora's repositories) against? thanks, Joonas [1] https://lwn.net/Articles/327847/ [2] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1130491 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT79kqAAoJEG58zmw5nc+vZuMQAMuTNEiZjTvXo6tuefihpNOc fJgEC2dWPQIMA8U88qVLFoIYASYxhj4zFsl50zYZRk7LK7gPp/j6RDOOhSBpeDU2 FZ1hPcln2S3KFkspqyv9I3is+DeHK6+KHMy8YOvHhtpQfO1wCnGUGsrqamQPDkqf onAbSVBOx5WHf5qKnO5hJbmJMsJduhHb4KCCw1+w4Cdi6tyTbQ3bPRzCFSL9/Rb4 cPNIrpzyU/JYi8hn1zM5locjxG19tmkeP+NCBvF0YAwUo7YVksbZBm7wD+xDhwK6 fMLQ7VOvSMsH6PywexuqnwUMnaFgzsGQXsNOrKLDluJEIECN4L/KETfFXROFSNNR nJtr9NBJqowB64SY4LF+qjuOkE+cGgTRSBmMqXK2yyr6B9j52Eovak/N2LnHlK3J mJi/6yEvDTv2/APWnCeAW9PUsyuI5hobOulmrthQdYO42O9TgCG4/+5LC2HP/GU7 O6y23xrZs3Fz6EkTdy81KWNh8wtOa6xjSedlWiRZGgiAiDAGhV/HoK1Ttju+bmI/ seRcY+Im7RC495ZmHQmgJCcm0XvDQ7ZtMrMs3dH3qRv8Ztez4XO7+iwtL33JxIa/ AqD2vdhdB0CZ5y2YVfgDCwjjVCVv0NTPy39PMc+WhqP3x1YuTv7AjclnXrMEqj1f XjI3jPsMikvGq0mFc+O+ =ZsKM -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
