On Saturday 17 January 2009 10:19:21 am Douglas E. Warner wrote:
On 01/16/2009 Jesse Keating wrote:
> Given that we can't revoke, yes, we plan to use new keys each release.
> We can use gpg web-o-trust thing and sign the new keys with the old
> keys and whatnot, does that actually help people?
Why couldn't we revoke keys? Even if RPM itself doesn't have the
capability, we could have yum periodically check for updates on installed
keys on keyservers through a plugin, I would imagine.
I have a machine that has been migrated for a long time. It has 9
gpg-pubkey packages installed. Which ones are valid? Why don't they get
retired by obsoletes or something? Could someone use my ancient gpg-pubkeys
as a basis for an attack on repo metadata
(
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on...)
and provide an older package with known security holes?
Old keys should be retired. We should also make import of keys an auditable
event.
-Steve