Who should I open the request with?
I haven't really seen any differences in DNF from that point of view in Fedora yet.
Thanks,
Trevor
On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb sgrubb@redhat.com wrote:
On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote:
Necromancing this thread!
Any updates on this Steve?
The answer I was given is like this:
"The keys for checking repo. metadata are only used for those repos. (so key for repo X can't verify metadata for repo. Y). There are also CA keys, so you can cycle keys etc. The keys for rpm checking are imported into the rpm DB and thus. global, but that's an rpm thing."
So, I don't think rpm/yum were intended to solve the security problem you outlined because its now how software distribution normally works. And if two repos have the same package, I think you will notice some kind of error/ warning. Feel free to open some kind of request. I also think the dnf developers may have things a little better security-wise.
-Steve