Re: Fedora 8 and 9 updates re-enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2008/9/10 Paul Wouters <paul@xxxxxxxxxxxxx>:
> On Tue, 9 Sep 2008, Jesse Keating wrote:
>
>> Most users will simply need to apply the offered updates, and later
>> apply any further updates, and verify/import the new GPG key.
>
>> For more details and an FAQ, please see
>> https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key
>
> One question I don't see answered is whether the upgrade system purges
> the trust on the old key from our systems after verification of the new
> key. Otherwise, some DNS or wifi hack in the future could lead me to
> a false update site using the old compromised key and my system would
> still install those updates.
>

>From the original notification:

"There will be further milestones in the future that involve redirection
of release package repos to match that of updates, and removing of old
gpg key from rpm trust."

i.e. at this point the old key is not purged, but it will be in the
future. Since the resigned repos of the fedora repo are not yet
activated (only the updates-newkey is activated), the old key is still
required to install software. That's my reading of the notice, anyhow.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux