On 1/7/21 6:16 PM, Tim via users wrote:
On Thu, 2021-01-07 at 10:30 -0800, Kevin Fenzi wrote:
Just to let everyone know here, this was a bug/issue with pungi (the
tool that makes repos for Fedora), plus a weird situation that caused
this.
It was fixed yesterday, and we are taking steps to prevent it from
happening again. :)
Sorry for the hassle.
It does make me want to know: Since unchecksummed RPMs were being put
out there for people to download. Did anybody verify the integrity of
them? (After the fact.) Should the people who did install them be
concerned about what they've already installed?
According to the longer explanation, it was a mixup between builds in
the rpm processing pipeline. So an unsigned rpm ended up getting pushed
out instead of the signed one. Unless someone happened to compromise a
mirror system at that exact time and modified that specific rpm,
everyone is fine. And I think there's actually a chain of checksums as
well, so that scenario might not even be plausible either.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx