On Wed, 03 Sep 2008 10:30:39 -0400 davidsen@xxxxxxx (Bill Davidsen) wrote: > Anders Karlsson wrote: > > * Travis Arnold <vestwearingpunk@xxxxxxxxx> [20080902 22:52]: > > [drivel snipped] > >> Hey I am currently downloading the ISO dvd to install after I > >> finish my day's lessons, is this not a good idea to do? > > > > The word from the Fedora folks on Aug 14th was - don't update until > > further notice. Since then, they have - IIRC - said it's safe to do > > so. The ISO's should be safe, as well as the packages that you can > > update to from the servers. > > > > New updates should start rolling once they have resigned everything. > > > Distributing that will be quite slow, since they need to (a) > validate, then (b) sign, then (c) distribute out-of-band to mirrors, Well, depends on what you mean by quite slow, but yes, doing all the re-signing is taking a while right now. Distribution to mirrors will be the next bottleneck. > and then hardest of all find a secure way to provide the public part > of the signing key. Obviously you don't risk letting someone slip in > a bogus NEW fake key and go around on this again. Indeed. The proposed plan (that has since had a few modifications): http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html > Suggestion: since the livna key is still secure (AFAIK) let them > distribute the new Fedora key and sign the RPM. That was suggested before, but it's not a great solution for several reasons: Not everyone has livna enabled. Having one repo publish keys for another seems wrong, especially when they are not officially connected. kevin
Attachment:
signature.asc
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
