Re: fedup: does not verify source

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adam Williamson wrote:
> On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote:
> > On 12/17/2012 01:58 AM, Adam Williamson wrote:
> > > fedup essentially automates doing yum distro-sync across a reboot
> > > and in an isolated environment
> > 
> > I don't understand---the discussion started by pointing out that
> > fedup does not check signatures, then someone said that yum
> > distro-sync does it properly, and you're saying that fedup just
> > automates distro-sync. At which point is the signature checking
> > disabled then? and can it be restored?
> 
> anyhow, the tricky thing here lies in somehow making it safe for fedup
> to *automatically* import the correct key for the next release. This
> is a subtlish problem.

There's another thing that also needs to be fixed. If I've understood 
what I've read correctly, then Fedup downloads a kernel and a ramdisk 
which make up that isolated environment that Adam mentioned. Those files 
aren't RPM packages and aren't signed like the packages are. Those who 
have the secret keys need to start signing the kernel/ramdisk pair, and 
Fedup needs to verify that signature. Naturally the signature must be 
verified before the kernel/ramdisk pair is booted.

Björn Persson

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux