[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using out-of-date GPG to sign Fedora releases...



On Mon, 13 Apr 2009 08:30:35 -0400, Todd wrote:

> Bram_Gro wrote:
> > It will be appreciated if all the checksums of future releases are
> > signed with a up-to-date version of GPG. There are currently some
> > files, including all of the Fedora 11 releases that are signed with
> > a out-of-date version of Gnupg 1.4.5 from 2006, instead of the
> > latest 1.4.9. I don't know if any potential security issue is
> > related to this practice, but there is quite a large list of
> > security problems between 1.4.5 and 1.4.9.
> 
> You're presuming that the gnupg used is an unpatched version.  More
> likely, it's the version shipped by RHEL, which has any known security
> fixes backported.  I don't think there's anything to worry about here.

??? What do vulnerabilities in GnuPG have to do with the signatures?
Why don't you use 1.4.9 to verify those signatures?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]