On Friday, October 19, 2018 4:32:08 PM EDT Andrew Gilmore wrote:
I'm also very confused on this. Wasn't this part of the Red Hat recommended security settings?
The issue Trevor is talking about is a very unusable situation. The recommended setting is fine wrt normal use.
Upstream says that a repo key is assigned to a specific repo. Metadata key for shady repo cannot be used for metadata for an official Red Hat repo.
-Steve
As far as I can tell, DNF does nothing different for repo metadata.
Andrew
On Fri, Oct 19, 2018, 14:13 Trevor Vaughan tvaughan@onyxpoint.com wrote:
Who should I open the request with?
I haven't really seen any differences in DNF from that point of view in Fedora yet.
Thanks,
Trevor
On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb sgrubb@redhat.com wrote:
On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote:
Necromancing this thread!
Any updates on this Steve?
The answer I was given is like this:
"The keys for checking repo. metadata are only used for those repos. (so key for repo X can't verify metadata for repo. Y). There are also CA keys, so you can cycle keys etc. The keys for rpm checking are imported into the rpm DB and thus. global, but that's an rpm thing."
So, I don't think rpm/yum were intended to solve the security problem you outlined because its now how software distribution normally works. And if two repos have the same package, I think you will notice some kind of error/ warning. Feel free to open some kind of request. I also think the dnf developers may have things a little better security-wise.
-Steve
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe dorahosted.org