[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using out-of-date GPG to sign Fedora releases...



Bram_Gro wrote:
> It will be appreciated if all the checksums of future releases are
> signed with a up-to-date version of GPG. There are currently some
> files, including all of the Fedora 11 releases that are signed with
> a out-of-date version of Gnupg 1.4.5 from 2006, instead of the
> latest 1.4.9. I don't know if any potential security issue is
> related to this practice, but there is quite a large list of
> security problems between 1.4.5 and 1.4.9.

You're presuming that the gnupg used is an unpatched version.  More
likely, it's the version shipped by RHEL, which has any known security
fixes backported.  I don't think there's anything to worry about here.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cover a war in a place where you can't drink beer or talk to a woman?
Hell no!"
    -- Hunter S. Thompson

Attachment: pgp2FAuFM9hEN.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]