[katello-devel] GPG keys - proposed solution
Bryan Kearney
bkearney at redhat.com
Mon Nov 21 20:22:03 UTC 2011
On 11/16/2011 03:44 AM, Ohad Levy wrote:
> now, my question is concerned security:
> pulp trust the repo based of the ssl cert, and the client trust the packages based on the gpg key (and ssl), however, in this case, if someone was to hijack the repo, he could replace the gpg key as well (meaning ssl certs is all that is required), does anyone see an issue with that?
What if the gpgkey was in another location, not tied to the repo? Then
they would need to hikjack both. Would that be better?
-- bk
More information about the katello-devel
mailing list