Bill Davidsen wrote: > Ed Greshko wrote: >> Patrick O'Callaghan wrote: >>> The hypothetical scenario being discussed is that you have already >>> replaced the former (good but now possibly suspect) public key with a >>> spurious new one. If that were to happen, you would be in danger of >>> accepting trojanned packages signed with this new fake key. My point is >>> that you would also *reject* packages signed with the new good key, and >>> this would be noticed very quickly (basically the next time you did an >>> update). >>> >> That is an extremely unlikely possibility as you have to generate a key >> with the same key id (fingerprint)as the original. Also, you have to >> determine how to trick all users in to replacing the original. > > All users? This is like spam email, you only need to succeed in a few > cases to get benefit. And distributing the fingerprint assumes you can > do that securely as well. > I think you have no concept of public/private encryption or signing. -- Behind every great computer sits a skinny little geek. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
