On 11/01/2017 10:37 PM, Kevin Fenzi wrote:
On 11/01/2017 01:07 PM, Christopher wrote:
On Wed, Nov 1, 2017 at 3:26 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
On 10/31/2017 01:08 PM, Christopher wrote:
[...]
I personally don't see much advantage in expiring old keys or the like.
The only attack vector I can see is tricking someone into installing a
package from an EOL release with a known vulnerablity, but if you can do
that you likely can get them to just download it and install it or
download your resigned package and have them accept the key or any
number of things.
Yeah, that's the attack vector I was thinking. It's also the case that
somebody could be tricked into installing an older version of a patched
package from the current release, which is signed by the same GPG key. So,
maybe it's not much of a mitigation of anything. Still, I think adding a
reasonable expiration date is good practice... and warning during
verification (or making a verification policy configurable in yum/dnf)
might be a good idea.
Well, feel free to file RFE's on yum/rpm/dnf, but I suspect they have
lots of more important things to implement.
I actually mostly implemented OpenPGP expiry for rpm last spring, but
never never pushed it upstream because in the end it seemed so ... meh.
Yeah it could be made to warn at install-time, to what benefit really?
It's better to have rpm verify the expired signature than have people
use --nosignature to shut up annoying warnings.
- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
