[Bug 868440] rpm verifies but still continues if the signature's key is missing

15 Mar 2014

      https://bugzilla.novell.com/show_bug.cgi?id=868440

https://bugzilla.novell.com/show_bug.cgi?id=868440#c2

--- Comment #2 from Jon Nelson <jnelson-suse@jamponi.net> 2014-03-15 16:06:04 UTC ---
Yes, but that's not the same thing.

rpm signature verification has been around a long time. Allowing the
installation of unsigned or signed-but-non-verifiable (or even
signed-but-wrong!) rpms *even if* the repo data is signed (and matches) is
still a security risk. A small bug in properly verifying the repo signature
opens an enormous security hole.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug 868440] rpm verifies but still continues if the signature's key is missing

bugzilla_noreply＠novell.com