On Sat, 2009-01-17 at 10:31 -0500, Steve Grubb wrote: > > I have a machine that has been migrated for a long time. It has 9 > gpg-pubkey packages installed. Which ones are valid? Why don't they get > retired by obsoletes or something? We explored these options after the incident. Last I heard the only current way this is going to work is if an updated rpm package is released that has a hardcoded distrust of the keys that might have been compromised. However I do believe it's on their roadmap to revamp how keys are used so that we could revoke or expire keys, regardless of where they come from. > Could someone use my ancient gpg-pubkeys > as a basis for an attack on repo metadata > (http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html) > and provide an older package with known security holes? > > Old keys should be retired. We should also make import of keys an auditable > event. Are not all rpm actions audited? Importing a key essentially installs it into the rpm database. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
