Re: Secrecy and user trust

On Wed, 03 Sep 2008 10:30:39 -0400
davidsen@xxxxxxx (Bill Davidsen) wrote:

Anders Karlsson wrote:
* Travis Arnold <vestwearingpunk@xxxxxxxxx> [20080902 22:52]:
[drivel snipped]
Hey I am currently downloading the ISO dvd to install after I
finish my day's lessons, is this not a good idea to do?

The word from the Fedora folks on Aug 14th was - don't update until
further notice. Since then, they have - IIRC - said it's safe to do
so. The ISO's should be safe, as well as the packages that you can
update to from the servers.

New updates should start rolling once they have resigned everything.

Distributing that will be quite slow, since they need to (a)
validate, then (b) sign, then (c) distribute out-of-band to mirrors,

Well, depends on what you mean by quite slow, but yes, doing all the
re-signing is taking a while right now. Distribution to mirrors will be
the next bottleneck.

and then hardest of all find a secure way to provide the public part
of the signing key. Obviously you don't risk letting someone slip in
a bogus NEW fake key and go around on this again.

Indeed.

The proposed plan (that has since had a few modifications):
http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html

Suggestion: since the livna key is still secure (AFAIK) let them
distribute the new Fedora key and sign the RPM.

That was suggested before, but it's not a great solution for several
reasons: Not everyone has livna enabled. Having one repo publish keys
for another seems wrong, especially when they are not officially
connected.

kevin

Attachment: signature.asc
Description: PGP signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: [OT] Are security updates necessary?
    ... mean other updates, that can be critical, with apps and not the desktop ... They were lucky, but not safe. ... I don't use KDE as a desktop, just use the applications in Gnome. ... I suggest sticking with Fedora 8 during its lifetime, and seeing how far KDE 4 gets in the meantime. ...
    (Fedora)
  • Re: Secrecy and user trust
    ... failure of system security or a failure of misplaced trust. ... risk to Fedora users who wish to install or upgrade signed Fedora ... I know someone on this list said I should feel safe in upgrading ...
    (Fedora)
  • Is it safe to open ssh port to world with only key based authentication?
    ... it is safe to have your fedora box available over the ... I currently have the system connected to cable broadband connection ... Recently I started using key based authentication and disabled ... passwords in /etc/ssh/sshd_conf My question is, is it safe to open the ...
    (Fedora)
  • Re: Secrecy and user trust
    ... failure of system security or a failure of misplaced trust. ... risk to Fedora users who wish to install or upgrade signed Fedora ... I know someone on this list said I should feel safe in upgrading my F6 box to F9. ...
    (Fedora)
  • Re: Secrecy and user trust
    ... Bill Crawford wrote: ... risk to Fedora users who wish to install or upgrade signed Fedora ... What I was looking for was a "safe if loaded before" date. ...
    (Fedora)