Re: Subversion 1.8 in RHEL/Centos repositories

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Tue, 3 Nov 2015 13:54:36 +0000

Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500:
> On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <junek_at_oksystem.cz> wrote:
> > I would like to install Subversion 1.8 from native distribution repository
> > and wonder why it is not available…
>
> My RPM building tools are published. I don't personally have a web
> service I can rely on sufficiently well to publish reliable, GPG
> signed RPM's and have high confidence that someone can't maliciously
> replace the repository, including a fake GPG key. Who checks the
> signature chain on website published GPG keys?

Even people who don't have a PGP trust path to your key will still be
protected from this attack if they do "key pinning", i.e., if they check
that "it's the same key as last time".

(So long as people don't re-pin to a new key when the key on the website
changes, of course.)
Received on 2015-11-03 14:54:56 CET

This message: [ Message body ]
Next message: Nico Kadel-Garcia: "Re: Subversion 1.8 in RHEL/Centos repositories"
Previous message: Zdenek Sedlak: "Re: Subversion 1.8 in RHEL/Centos repositories"
In reply to: Nico Kadel-Garcia: "Re: Subversion 1.8 in RHEL/Centos repositories"
Next in thread: Nico Kadel-Garcia: "Re: Subversion 1.8 in RHEL/Centos repositories"
Reply: Nico Kadel-Garcia: "Re: Subversion 1.8 in RHEL/Centos repositories"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]