I'm also very confused on this. Wasn't this part of the Red Hat recommended
security settings?
As far as I can tell, DNF does nothing different for repo metadata.
Andrew
On Fri, Oct 19, 2018, 14:13 Trevor Vaughan <tvaughan(a)onyxpoint.com> wrote:
Who should I open the request with?
I haven't really seen any differences in DNF from that point of view in
Fedora yet.
Thanks,
Trevor
On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote:
> > Necromancing this thread!
> >
> > Any updates on this Steve?
>
> The answer I was given is like this:
>
> "The keys for checking repo. metadata are only used for those repos.
> (so key for repo X can't verify metadata for repo. Y). There are also
> CA keys, so you can cycle keys etc. The keys for rpm checking are
> imported
> into the rpm DB and thus. global, but that's an rpm thing."
>
> So, I don't think rpm/yum were intended to solve the security problem you
> outlined because its now how software distribution normally works. And if
> two
> repos have the same package, I think you will notice some kind of error/
> warning. Feel free to open some kind of request. I also think the dnf
> developers may have things a little better security-wise.
>
> -Steve
>
>
>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...