On Friday, October 19, 2018 4:32:08 PM EDT Andrew Gilmore wrote: > I'm also very confused on this. Wasn't this part of the Red Hat recommended > security settings?
The issue Trevor is talking about is a very unusable situation. The recommended setting is fine wrt normal use. Upstream says that a repo key is assigned to a specific repo. Metadata key for shady repo cannot be used for metadata for an official Red Hat repo. -Steve > As far as I can tell, DNF does nothing different for repo metadata. > > Andrew > > On Fri, Oct 19, 2018, 14:13 Trevor Vaughan <[email protected]> wrote: > > Who should I open the request with? > > > > I haven't really seen any differences in DNF from that point of view in > > Fedora yet. > > > > Thanks, > > > > Trevor > > > > On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb <[email protected]> wrote: > >> On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote: > >> > Necromancing this thread! > >> > > >> > Any updates on this Steve? > >> > >> The answer I was given is like this: > >> > >> "The keys for checking repo. metadata are only used for those repos. > >> (so key for repo X can't verify metadata for repo. Y). There are also > >> CA keys, so you can cycle keys etc. The keys for rpm checking are > >> imported > >> into the rpm DB and thus. global, but that's an rpm thing." > >> > >> So, I don't think rpm/yum were intended to solve the security problem > >> you > >> outlined because its now how software distribution normally works. And > >> if > >> two > >> repos have the same package, I think you will notice some kind of error/ > >> warning. Feel free to open some kind of request. I also think the dnf > >> developers may have things a little better security-wise. > >> > >> -Steve > > > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > > scap-security-guide mailing list -- > > [email protected] > > To unsubscribe send an email to > > [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > dorahosted.org _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
