Richard Hughes wrote:
I can't speak to the other stuff that people were saying but this one actually is a problem in the current situation. In this situation we trust the media but don't trust the signing key that's on the media. We need to get the new key installed and the old key uninstalled (probably going to be dealt with as a separate problem) so that we can verify updates.wwoodsf13: yeah, it's weaksauce, but you remember the failure condition for PK was *SO BAD* that we added last-minute horrible hacks to anaconda over jeremy's (valid) objectionsI guess by hacks you meant that I wanted anaconda to auto-import the fedora signing key at install time. To be blunt, if the media is compromised, then unsigned updates are the _last_ of your problems -- think what would happen if a compromised kernel or sshd was installed - a remote exploit without even installing a single update. The only way you can guarantee the authenticity of the media is to post it's sha1sum in a well known place that we test the image against - which is basically what we do now. Asking the user to agree that key abcdef12345 corresponds to the fedora project at first boot is just security through obscurity. Ubuntu and other distributions don't make you do this.
-Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
