Linked by David Adams on Thu 11th Sep 2008 16:11 UTC, submitted by Renai LeMay
Privacy, Security, Encryption The Red Hat-supported Fedora Project has started issuing updates to its Linux distribution again, after a hiatus of several weeks caused by a hacker break-in. Late yesterday, Fedora emailed its users to let them know that it would soon issue updates for its most recent Fedora 8 and 9 operating systems.
Permalink for comment 330105
To read all comments associated with this story, please click here.
That sounds like a bad idea.
by Bill Shooter of Bul on Thu 11th Sep 2008 19:36 UTC
Bill Shooter of Bul
Member since:

From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.

Isn't that a golden opportunity for whoever stole the key to inflict further damage?

Plus, all Malory needs to do is intercept the new key and replace it with his own and use it to sign malicious updates with it.

If I'm missing some key detail that makes all of the above mute please let me know.

Reply Score: 1