Fedora still doesn't sign its repo data?

Sat, 16 Aug 2014 15:21:06 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

over five years ago vulnerabilities in Fedora's (and others) package
managers [1] have been presented at USENIX.

And even though yum supports repo_gpgcheck since 2008 [2]
Fedora still does not make use of it to protect the repo metadata.

Are there specific reasons why Fedora still does not sign its repo
metadata to prevent metadata manipulation attacks (i.e. "hiding" updates)?
The LWN article from 2009 somehow hinted that it was about to be
enabled in Fedora 11? [1]

I filed a bug against fedora-release (covering the missing
repo_gpgcheck in fedora.repo) [3].
Which component would I file the missing repomd.xml.asc (on fedora's
repositories) against?

thanks,
Joonas



[1] https://lwn.net/Articles/327847/
[2] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1130491
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT79kqAAoJEG58zmw5nc+vZuMQAMuTNEiZjTvXo6tuefihpNOc
fJgEC2dWPQIMA8U88qVLFoIYASYxhj4zFsl50zYZRk7LK7gPp/j6RDOOhSBpeDU2
FZ1hPcln2S3KFkspqyv9I3is+DeHK6+KHMy8YOvHhtpQfO1wCnGUGsrqamQPDkqf
onAbSVBOx5WHf5qKnO5hJbmJMsJduhHb4KCCw1+w4Cdi6tyTbQ3bPRzCFSL9/Rb4
cPNIrpzyU/JYi8hn1zM5locjxG19tmkeP+NCBvF0YAwUo7YVksbZBm7wD+xDhwK6
fMLQ7VOvSMsH6PywexuqnwUMnaFgzsGQXsNOrKLDluJEIECN4L/KETfFXROFSNNR
nJtr9NBJqowB64SY4LF+qjuOkE+cGgTRSBmMqXK2yyr6B9j52Eovak/N2LnHlK3J
mJi/6yEvDTv2/APWnCeAW9PUsyuI5hobOulmrthQdYO42O9TgCG4/+5LC2HP/GU7
O6y23xrZs3Fz6EkTdy81KWNh8wtOa6xjSedlWiRZGgiAiDAGhV/HoK1Ttju+bmI/
seRcY+Im7RC495ZmHQmgJCcm0XvDQ7ZtMrMs3dH3qRv8Ztez4XO7+iwtL33JxIa/
AqD2vdhdB0CZ5y2YVfgDCwjjVCVv0NTPy39PMc+WhqP3x1YuTv7AjclnXrMEqj1f
XjI3jPsMikvGq0mFc+O+
=ZsKM
-----END PGP SIGNATURE-----

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to