26 Mar
2001
26 Mar
'01
14:48
The point is this: with automatic keydownload the attacker doesn't need to get a key to the victim. Without the attacker simply sends out a new self signed key and makes it appear as if from the vendor, in the last month several vendors have issued new keys, all self signed, posted to various mailing lists/etc. Do you 100% trust the security of all your mirror sites? Do you 100% trust your dns server, especially now with more people using autorpm/rhupdate/etc? Will SuSE be fixing this ala caldera/others? -Kurt