On Saturday 17 January 2009 10:19:21 am Douglas E. Warner wrote: > On 01/16/2009 Jesse Keating wrote: > > Given that we can't revoke, yes, we plan to use new keys each release. > > We can use gpg web-o-trust thing and sign the new keys with the old > > keys and whatnot, does that actually help people? > > Why couldn't we revoke keys? Even if RPM itself doesn't have the > capability, we could have yum periodically check for updates on installed > keys on keyservers through a plugin, I would imagine. I have a machine that has been migrated for a long time. It has 9 gpg-pubkey packages installed. Which ones are valid? Why don't they get retired by obsoletes or something? Could someone use my ancient gpg-pubkeys as a basis for an attack on repo metadata (http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html) and provide an older package with known security holes? Old keys should be retired. We should also make import of keys an auditable event. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
