On 11/20/2009 01:36 AM, Mohan R wrote: > I'm sure it will be alright. Also I know SSH Key != GPG, I asked that > fedora already came across an event that modified its package's GPG key > through an admin's SSH key,
I forgot to mention a few things in my previous mail but you are making a incorrect claim. In particular, "The Fedora package signing key was present on a system to which the intruder had access during the time of the event, but the results of our investigation did not lead us to believe the intruder accessed the key." No intruder ever modified any package's GPG key. Also note that PackageKit change was made upstream and inherited in Fedora 12. It was not a Fedora specific change. It was not noticed when it was inherited because Rawhide (Fedora's development branch) packages are never signed and PackageKit in that case would always prompt for the password. In Fedora 11, PackageKit allowed any user to retain the authorization for installing packages when the user enters the admin password for the first time. So this is not a fundamentally new change neverthless. Hope that helps understand the situation better. Rahul _______________________________________________ To unsubscribe, email [email protected] with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
