https://koji.fedoraproject.org is signed with an unknown certificate (extras64.linux.duke.edu)
Mike McGrath
mmcgrath at redhat.com
Sun Oct 14 22:32:40 UTC 2007
Till Maas wrote:
> Hello,
>
> for two months there has been no progress on a security ticket:
> https://hosted.fedoraproject.org/projects/fedora-infrastructure/ticket/88
>
> https://koji.fedoraproject.org spits out an strange certificate instead of one
> signed by an well known CA, e.g. Equifax. Can maybe someone who reads here
> and did not notice this Security Bug fix this? In case there is no money
> available for this, then please use at least a certificate from cacerct.org
> instead of this imho nearly complete useless certificate. Also it is not very
> wise to educate users (Fedora maintainers) to accept bad certificates in
> Fedora's Infrastructure, so that in case there is a Man-in-the-middle attack,
> e.g. on an conference with free wifi, the regarding maintainers will be
> fooled.
This isn't actually causing any practical problems so I've been ignoring
it. As far as man in the middle attack... someone will think they've
submitted a build but haven't? either way I'll submit a purchase
request for the cert now.
-Mike
More information about the infrastructure
mailing list