[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using out-of-date GPG to sign Fedora releases...



Hi,

It will be appreciated if all the checksums of future releases are signed with a up-to-date version of GPG. There are currently some files, including all of the Fedora 11 releases that are signed with a out-of-date version of Gnupg 1.4.5 from 2006, instead of the latest 1.4.9. I don't know if any potential security issue is related to this practice, but there is quite a large list of security problems between 1.4.5 and 1.4.9.

Some examples:
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Fedora/x86_64/iso/SHA1SUM
Gnupg 1.4.9
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Live/x86_64/SHA1SUM
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/test/11-Beta/Live/x86_64/F11-Beta-x86_64-Live-KDE-CHECKSUM


Bram.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]