Kevin Fenzi wrote: > On Wed, 03 Sep 2008 10:30:39 -0400 > [EMAIL PROTECTED] (Bill Davidsen) wrote: [...] >> and then hardest of all find a secure way to provide the public part >> of the signing key. Obviously you don't risk letting someone slip in >> a bogus NEW fake key and go around on this again. > > Indeed. > > The proposed plan (that has since had a few modifications): > http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html
Since rpm/yum don't have any method to handle a key revocation, this process is harder than it might otherwise be. As I understand the plan currently, the new key will be included in an updated fedora-release package that will be signed by the old key. This will make the change as transparent as possible for most users and since it is not believed that the old key is compromised at this time, it is reasonably secure. (Insert various caveats regarding the meaning of "reasonably secure" and "not believed ... compromised ..." as needed.) I presume that the new key's fingerprint and other details will be added to https://fedoraproject.org/keys sometime soon and that can be used by those who want a bit more verification of the new key before trusting it. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sanity is the trademark of a weak mind. -- Mark Harrold
pgpXUKhgqSZUA.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines