fedup: does not verify source
Adam Williamson
awilliam at redhat.com
Tue Dec 18 01:41:20 UTC 2012
On Tue, 2012-12-18 at 02:05 +0100, Björn Persson wrote:
> Adam Williamson wrote:
> > On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote:
> > > On 12/17/2012 01:58 AM, Adam Williamson wrote:
> > > > fedup essentially automates doing yum distro-sync across a reboot
> > > > and in an isolated environment
> > >
> > > I don't understand---the discussion started by pointing out that
> > > fedup does not check signatures, then someone said that yum
> > > distro-sync does it properly, and you're saying that fedup just
> > > automates distro-sync. At which point is the signature checking
> > > disabled then? and can it be restored?
> >
> > anyhow, the tricky thing here lies in somehow making it safe for fedup
> > to *automatically* import the correct key for the next release. This
> > is a subtlish problem.
>
> There's another thing that also needs to be fixed. If I've understood
> what I've read correctly, then Fedup downloads a kernel and a ramdisk
> which make up that isolated environment that Adam mentioned. Those files
> aren't RPM packages and aren't signed like the packages are. Those who
> have the secret keys need to start signing the kernel/ramdisk pair, and
> Fedup needs to verify that signature. Naturally the signature must be
> verified before the kernel/ramdisk pair is booted.
That, we already have a bug for and it is being worked on, I believe.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the devel
mailing list