On Fri, 2009-12-11 at 22:16 +0530, Rahul Sundaram wrote: > On 12/11/2009 08:34 PM, Tim wrote: > It'll take quite some effort, not impossible, but very > > difficult, to get a signed compromising package into the repos. > > Unfortunately, I don't think it's that difficult. Why do you believe it is? It does at least require the cooperation of an insider. To me, that raises the bar quite a bit. But it is true that signing of packages does not protect against someone with access to the signing key who is working for nefarious purposes. Insider attacks (where the attack comes from someone who is trusted) are always considerably more difficult to defend against. The other avenue of possible attack, we have already seen in that major incident that nobody is talking about )-: where the bad guys actually did apparently get access to the signing key (although the official statement is that no malicious signed packages ever got out). That resulted in the key being changed and all sorts of pain for every Fedora user, so we all know about that one. But that sort of attack is difficult to pull off undetected. An insider attack is much more likely to result in wide distribution of a malicious package before it is detected. --Greg -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines