Bug 1084721
Summary: | Gluster RPMs for CentOS/etc from download.gluster.org are not consistently signed | ||
---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Kurt Seifried <kseifried> |
Component: | core | Assignee: | GlusterFS Bugs list <gluster-bugs> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.4.2 | CC: | bressers, bugs, gluster-bugs |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-16 16:14:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kurt Seifried
2014-04-05 22:31:05 UTC
So one concern: this either forces people using the gluster packages from download.gluster.org to either install several GPG keys of unknown safety (they are on developer machines? An internet connected server? Who knows?) or to disable checks for GPG signatures on the packages from downloads.gluster.org if they want to install/updates the packages (which they would). Both (especially the disabling of signatures) make it much easier for an attacker that compromises download.gluster.org to then insert rpms such as a kernel rpm or openssh rpm with modified contents that are then installed on the victims systems. yup, the keys changed. They haven't changed since. You seem to be inventing a problem that doesn't exist, i.e. continuously changing. Closing as not a bug. |