Les Mikesell wrote: > Ed Greshko wrote: >> >>> What's the point of having the key at all if you implicitly trust the >>> delivery mechanism of the RPM packages? >> Good approach, answer a question with another question. >> > > If you can't say why you need the key in the first place, there isn't > much hope of seeing why you need a different reason to trust the key > than the content it verifies. > Bzzzzttt... Wong! You are attacking the current system and it is incumbent on you to prove your points.
I can't help but to see the irony in that those clamoring for "explicit details" from the Fedora folks as to the nature, methods, damage inflicted on the Fedora infrastructure are so devoid of details on how their attack vector would work. Their scenario amounts to...generate a fake key pair, fool people in accepting it, sign compromised packages, fool people into downloading and installing them...take over their systems. <comic aside> There is a much easier way to achieve the above. Trick people into installing Microsoft products. </comic aside. -- The onset and the waning of love make themselves felt in the uneasiness experienced at being alone together. -- Jean de la Bruyere -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
