Who should I open the request with? I haven't really seen any differences in DNF from that point of view in Fedora yet.
Thanks, Trevor On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb <[email protected]> wrote: > On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote: > > Necromancing this thread! > > > > Any updates on this Steve? > > The answer I was given is like this: > > "The keys for checking repo. metadata are only used for those repos. > (so key for repo X can't verify metadata for repo. Y). There are also > CA keys, so you can cycle keys etc. The keys for rpm checking are imported > into the rpm DB and thus. global, but that's an rpm thing." > > So, I don't think rpm/yum were intended to solve the security problem you > outlined because its now how software distribution normally works. And if > two > repos have the same package, I think you will notice some kind of error/ > warning. Feel free to open some kind of request. I also think the dnf > developers may have things a little better security-wise. > > -Steve > > > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
