I guess this is twofold: First we assume they are the same when there really is
no reason an attacker would do so. So we can end up with different signatures
depending on the rpm version being used.
Then there's this "the newer rpm could check this but we leave that to the
older version that has less of a chance to figure things out". Not sure if this
really is realistic this "use rpm V6 to check signatures and then hand the
packages down to an older rpm version". Otoh there is this post quantum talk.
As soon as we do have policies requiring specific signatures may be there is a
way to sneak in weak signatures this way.
May be this is just fine for now and we need to look at this later on when we
get into policy based verification.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3439#issuecomment-2485903311
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3439/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
https://lists.rpm.org/mailman/listinfo/rpm-maint
