Patrick O'Callaghan wrote: > > The hypothetical scenario being discussed is that you have already > replaced the former (good but now possibly suspect) public key with a > spurious new one. If that were to happen, you would be in danger of > accepting trojanned packages signed with this new fake key. My point is > that you would also *reject* packages signed with the new good key, and > this would be noticed very quickly (basically the next time you did an > update). > That is an extremely unlikely possibility as you have to generate a key with the same key id (fingerprint)as the original. Also, you have to determine how to trick all users in to replacing the original. -- Necessity is a mother. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines