Re: Using out-of-date GPG to sign Fedora releases...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 13 Apr 2009 08:30:35 -0400, Todd wrote:

> Bram_Gro wrote:
> > It will be appreciated if all the checksums of future releases are
> > signed with a up-to-date version of GPG. There are currently some
> > files, including all of the Fedora 11 releases that are signed with
> > a out-of-date version of Gnupg 1.4.5 from 2006, instead of the
> > latest 1.4.9. I don't know if any potential security issue is
> > related to this practice, but there is quite a large list of
> > security problems between 1.4.5 and 1.4.9.
> 
> You're presuming that the gnupg used is an unpatched version.  More
> likely, it's the version shipped by RHEL, which has any known security
> fixes backported.  I don't think there's anything to worry about here.

??? What do vulnerabilities in GnuPG have to do with the signatures?
Why don't you use 1.4.9 to verify those signatures?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux