[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Why different keys for -testing and non-testing?



On Saturday 17 January 2009 10:19:21 am Douglas E. Warner wrote:
> On 01/16/2009 Jesse Keating wrote:
> > Given that we can't revoke, yes, we plan to use new keys each release.
> > We can use gpg web-o-trust thing and sign the new keys with the old
> > keys and whatnot, does that actually help people?
>
> Why couldn't we revoke keys?  Even if RPM itself doesn't have the
> capability, we could have yum periodically check for updates on installed
> keys on keyservers through a plugin, I would imagine.

I have a machine that has been migrated for a long time. It has 9 
gpg-pubkey packages installed. Which ones are valid? Why don't they get 
retired by obsoletes or something? Could someone use my ancient gpg-pubkeys 
as a basis for an attack on repo metadata 
(http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html) 
and provide an older package with known security holes? 

Old keys should be retired. We should also make import of keys an auditable 
event.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]