On Fri, Jun 11, 2021 at 5:09 AM Vitaly Zaitsev via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote: > > One possible step in this direction is the ability to ensure that there > > is no distribution point tampering of binaries shipped in Fedora. > > All RPM packages are already digitally signed by Fedora GPG keys. No > further actions is required. > > If someone MITM replaces the RPM package, it will fail the gpg signature > check and will not be installed. > We do not, however, have GPG signatures on repository metadata. Which means that we can't guarantee the repositories aren't tampered with. This is especially problematic for people who use local mirrors or do net installs. Also, Anaconda still doesn't do GPG checks[1]. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=998 (yes, really!) -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
