> @dmantipov Is there a CVE associated with this vulnerability?
> I'm asking so that I can keep an eye out for the fix.
>
> Also, on a different note, any idea if package managers that reply on rpm are
> vulnerable as well? Yum and Zypper for instance.
OK, as there is some confusion here: There is no CVE (AFAIK) and there should
not be a CVE. This is not a vulnerability. This is a basic misunderstanding on
how rpm works.
RPM by design works on the local system only and does not look things up on the
internet. It does not make decisions on its own but relies the user or other
tools to be told what needs to be done - including adding or removing key. The
RPM way of no longer trusting a key is to remove it from the RPM DB. This works
just fine.
This does not mean that the current situation does not leave things to be
desired as withdrawing a key requires quite some effort like issuing an updated
that removes the key or using some sort of automation for local setups.
But the topic is much more complicated than just adding support for GPG
revocation keys to RPM. First the actual key look up and check needs to go into
the updater level (e.g. dnf and zypper) as they are dealing with things on the
network. More important than removing a key is probably a way to add a new one
when the current one is no longer trusted. Just breaking (automatic) updates
for everyone is not a great solution. And there are probably more things to
consider. Some are already mentioned above.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-873881324
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
