Using out-of-date GPG to sign Fedora releases...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

It will be appreciated if all the checksums of future releases are signed with a up-to-date version of GPG. There are currently some files, including all of the Fedora 11 releases that are signed with a out-of-date version of Gnupg 1.4.5 from 2006, instead of the latest 1.4.9. I don't know if any potential security issue is related to this practice, but there is quite a large list of security problems between 1.4.5 and 1.4.9.

Some examples:
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Fedora/x86_64/iso/SHA1SUM
Gnupg 1.4.9
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/10/Live/x86_64/SHA1SUM
Gnupg 1.4.5
ftp://alviss.et.tudelft.nl/pub/fedora/linux/releases/test/11-Beta/Live/x86_64/F11-Beta-x86_64-Live-KDE-CHECKSUM


Bram.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux