Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

messed up signatures in fedora updates

Hash: SHA1

Matthew Valites wrote:

| I'm not really sure why turning off gpg signatures on up2date would
| compromise...  ...either way, that's why I offered
| the suggestions of using yum (a much better solution as stated by the RH
| people) or what files to check with the up2date stuff...

hi, there seems to be an issue with trying to use more than one solution
on the same box, here's a snip i got in the mail,

"Either one works well, and they do about the same thing.  I think
apt is a bit easier to use when installing new packages and resolving
dependencies, but yum.up2date is the supported tool.  Just don't run
both.  (At different times, of course!)  I found myself in the situation
where up2date choked because apt installed a higher level of a package
than was available via up2date.  It said the package had to be updated,
but failed because the installed version was at a higher level than the
"required" version."

also, concerning what you said about turning off gpg, after thinking
about it some more, you're right and i was wrong.  here's another snip

"For an attacker to make use of this flaw, they would have to make
unsigned packages appear on the Red Hat Network. Connections to the Red
Hat Network servers are authenticated and verified by the use of SSL, so
it is not possible to intercept the connection to Red Hat Network
servers and give unsigned packages.  To make use of this flaw, an
attacker would have to compromise the Red Hat Network servers at Red
Hat. Because of these factors, the risk of exploiting this bug is low."

they are talking about the change of gpg sig that happened a little
while back.  there's easier ways to get root huh?

hey to the gentleman who started this conversation, any luck on getting
your up2date fixed?

- --
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /