On Friday, October 19, 2018 4:32:08 PM EDT Andrew Gilmore wrote:
I'm also very confused on this. Wasn't this part of the Red
Hat recommended
security settings?
The issue Trevor is talking about is a very unusable situation. The
recommended setting is fine wrt normal use.
Upstream says that a repo key is assigned to a specific repo. Metadata key
for shady repo cannot be used for metadata for an official Red Hat repo.
-Steve
As far as I can tell, DNF does nothing different for repo metadata.
Andrew
On Fri, Oct 19, 2018, 14:13 Trevor Vaughan <tvaughan(a)onyxpoint.com> wrote:
> Who should I open the request with?
>
> I haven't really seen any differences in DNF from that point of view in
> Fedora yet.
>
> Thanks,
>
> Trevor
>
> On Fri, Oct 19, 2018 at 3:15 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
>> On Tuesday, October 16, 2018 3:58:01 PM EDT Trevor Vaughan wrote:
>> > Necromancing this thread!
>> >
>> > Any updates on this Steve?
>>
>> The answer I was given is like this:
>>
>> "The keys for checking repo. metadata are only used for those repos.
>> (so key for repo X can't verify metadata for repo. Y). There are also
>> CA keys, so you can cycle keys etc. The keys for rpm checking are
>> imported
>> into the rpm DB and thus. global, but that's an rpm thing."
>>
>> So, I don't think rpm/yum were intended to solve the security problem
>> you
>> outlined because its now how software distribution normally works. And
>> if
>> two
>> repos have the same package, I think you will notice some kind of error/
>> warning. Feel free to open some kind of request. I also think the dnf
>> developers may have things a little better security-wise.
>>
>> -Steve
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
>
> -- This account not approved for unencrypted proprietary information --
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe
>
dorahosted.org