This is a bug with the Fedora spec file that is not present upstream. The spec file generates an RSA keypair that is used to sign messages sent to consumers that are managed by Pulp. The spec file in Fedora 24 and Rawhide installs this key world-readable. Fixing the install won't be difficult, but fixing existing installations may be trickier. I am considering adding an instruction in %post that removes read permissions. If we took this path, we'd probably need to maintain it until Fedora 27. No "stable" versions of Fedora have ever shipped with this flaw since Pulp is new in Fedora 24 which is currently in Alpha stage. Even so, I'd be reluctant to ignore existing installations. If anyone has a suggestion of a best practice for ensuring this file has proper permissions I'd love to hear it.
https://bodhi.fedoraproject.org/updates/FEDORA-2016-2edbd5ea64
pulp-2.8.3-1.fc24 pulp-puppet-2.8.3-1.fc24 pulp-rpm-2.8.3-1.fc24 pulp-ostree-1.1.1-1.fc24 pulp-docker-2.0.1-1.fc24 pulp-python-1.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f9db2293a8
pulp-2.8.3-1.fc24, pulp-docker-2.0.1-1.fc24, pulp-ostree-1.1.1-1.fc24, pulp-puppet-2.8.3-2.fc24, pulp-python-1.1.1-1.fc24, pulp-rpm-2.8.3-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f9db2293a8
pulp-2.8.3-1.fc24, pulp-docker-2.0.1-1.fc24, pulp-ostree-1.1.1-1.fc24, pulp-puppet-2.8.3-2.fc24, pulp-python-1.1.1-1.fc24, pulp-rpm-2.8.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.