[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: https://koji.fedoraproject.org is signed with an unknown certificate (extras64.linux.duke.edu)



On Monday 15 October 2007 00:32:40 Mike McGrath wrote:

> This isn't actually causing any practical problems so I've been ignoring

There are practical problems, e.g. the unsigned rpms from koji are not 
accessible in a trusted way, which they would be if there was are certificate 
that can be verified.

> it.  As far as man in the middle attack... someone will think they've
> submitted a build but haven't?  either way I'll submit a purchase

Maybe there can be only little harm done in a mitm attack against koji. But 
why should a use wonder when he gets an "bad" certificate for 
admin.fedoraproject.org? He already knows this from his experience with 
koji.fedoraproject.org, so this seems to be normal for Fedora for him and he 
may just accept the bad certificate.

Regards,
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]