On Sat, Jun 12, 2021 at 10:29:50AM +0200, Marius Schwarz wrote:
> Am 12.06.21 um 02:51 schrieb Kevin Fenzi:
> >
> > > Also, not having it available has made it *very* hard to prioritize
> > > getting the issues fixed in DNF. So being able to improve this is
> > > predicated on the existence of
Am 12.06.21 um 02:51 schrieb Kevin Fenzi:
Also, not having it available has made it *very* hard to prioritize
getting the issues fixed in DNF. So being able to improve this is
predicated on the existence of signed metadata.
This seems odd to me. I mean, it can't be hard to setup a test repo,
On Fri, Jun 11, 2021 at 11:46:42AM -0400, Neal Gompa wrote:
>
> I would like repos signed even if we don't enable it in the repo
> definitions by default for now. That would make it possible for my Open
> Build Service instance to validate Fedora content for package builds
> (it can't use
On Fri, Jun 11, 2021 at 04:11:24PM -0700, Stewart Smith via devel wrote:
> Björn Persson writes:
> > I believe Yum has a feature to verify signed repository metadata. I
> > don't know why it's not used. If that verification would be turned on,
> > are there any attacks that would still be
Björn Persson writes:
> I believe Yum has a feature to verify signed repository metadata. I
> don't know why it's not used. If that verification would be turned on,
> are there any attacks that would still be possible then, that Rekor
> could prevent?
There's still the classic downgrade attack:
On Fri, Jun 11, 2021 at 8:09 PM Miloslav Trmac wrote:
> Hello,
> pá 11. 6. 2021 v 20:23 odesílatel Luke Hinds napsal:
>
>> On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote:
>>
>>> pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal:
>>>
Why is this useful? You get a timestamped /
Hello,
pá 11. 6. 2021 v 20:23 odesílatel Luke Hinds napsal:
> On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote:
>
>> pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal:
>>
>>> Why is this useful? You get a timestamped / tamper resistance record of
>>> all signing events. This is very
On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote:
> Hello,
> pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal:
>
>> Why is this useful? You get a timestamped / tamper resistance record of
>> all signing events. This is very useful for understanding the exact blast
>> radius of a key
Hello,
pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal:
> Why is this useful? You get a timestamped / tamper resistance record of
> all signing events. This is very useful for understanding the exact blast
> radius of a key compromise and monitoring for suspicious events. Most of
> the time
On Fri, Jun 11, 2021 at 4:48 PM Neal Gompa wrote:
> On Fri, Jun 11, 2021 at 11:17 AM Kevin Fenzi wrote:
> >
> > On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote:
> > >
> > > We do not, however, have GPG signatures on repository metadata. Which
> >
> > True.
> >
> > > means that we
On Fri, Jun 11, 2021 at 11:17 AM Kevin Fenzi wrote:
>
> On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote:
> >
> > We do not, however, have GPG signatures on repository metadata. Which
>
> True.
>
> > means that we can't guarantee the repositories aren't tampered with.
>
> False.
>
> >
On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote:
>
> We do not, however, have GPG signatures on repository metadata. Which
True.
> means that we can't guarantee the repositories aren't tampered with.
False.
> This is especially problematic for people who use local mirrors or do
>
On Fri, Jun 11, 2021 at 7:49 AM Björn Persson wrote:
>
> Huzaifa Sidhpurwala wrote:
> > I am sure everyone has heard about the recent Solarwinds software supply
> > chain attacks. This attack has made all software vendors think about
> > securing their supply chain, and it is even more
Huzaifa Sidhpurwala wrote:
> I am sure everyone has heard about the recent Solarwinds software supply
> chain attacks. This attack has made all software vendors think about
> securing their supply chain, and it is even more applicable to linux
> distributions which are made of thousands of
On Fri, Jun 11, 2021 at 5:09 AM Vitaly Zaitsev via devel
wrote:
>
> On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote:
> > One possible step in this direction is the ability to ensure that there
> > is no distribution point tampering of binaries shipped in Fedora.
>
> All RPM packages are already
On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote:
One possible step in this direction is the ability to ensure that there
is no distribution point tampering of binaries shipped in Fedora.
All RPM packages are already digitally signed by Fedora GPG keys. No
further actions is required.
If
Hi All,
I am sure everyone has heard about the recent Solarwinds software supply
chain attacks. This attack has made all software vendors think about
securing their supply chain, and it is even more applicable to linux
distributions which are made of thousands of components built from
17 matches
Mail list logo