Miles Sabin wrote:
On Fri, Aug 22, 2008 at 6:08 PM, Rahul Sundaram
wrote:
The RHEL signing keys have, however, been used by an unauthorized
party to sign unauthorized packages. Some people would say that that
qualified as "compromised" on any reasonable definition.
Yes but if it requires physical access, there is no need to generate a new
key.

There are bogus packages already signed and quite possibly out in the
wild ... what do you mean there's no need to generate a new key?

All I would say it really depends on the setup and I gave you a link earlier with some details. Besides this is primarily a Fedora announcement. RHEL details are elsewhere.

Rahul

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Reply via email to