[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-poweredge
Subject: [Linux-PowerEdge] RHEL7 packages for DSU_18.06.00 signed with wrong GPG key
From: James Mathiesen <jmathiesen () tripadvisor ! com>
Date: 2018-06-22 15:04:30
Message-ID: D4D4F8FD-42DF-4EA8-857B-1F1CC444234E () contoso ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Apologies for not threading this in properly. I signed up to this mailing list just \
now specifically to complain.
Certain packages in the RHEL7 DSU_18.06.00 packages are signed with the key \
1285491434D8786F which appears to be the Debian/Ubuntu signing key. This is breaking \
both upgrades (moderately annoying) and new installations (super annoying).
In regards to Chandra's email.
* Yes, this is very challenging and inconvenient. We would very much prefer that \
the release be rolled back until fixed
* It is possible to do SHA-2 signatures with the existing DSU key
* Changing the keys used to sign your packages is not a minor change because all \
established trust configurations must be updated
* Dell's documented process for setting up new systems doesn't work because it \
only installs the 1024-bit DSU key.
* It is true that the current DSU GPG key is 1024-bits which is too small. It is \
true that the current signatures are SHA-1 which are too weak. Signing should migrate \
to a 2048 or 4096 bit key with SHA-2 but this needs to be planned and \
communicated.
* Improving the security of your packages requires that all packages (not just \
some) be signed with a stronger key with a stronger signature. So long as we are \
required to trust a weak key having some packages signed by a strong key doesn't \
improve security at all.
Again, please backout the RHEL7 release. It's broken and we have to stop tracking \
you until the dsu symlink points at a working release.
james
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1667594423;
mso-list-type:hybrid;
mso-list-template-ids:1806989714 1417056434 67698691 67698693 67698689 67698691 \
67698693 67698689 67698691 67698693;} @list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Apologies for not threading this \
in properly. I signed up to this mailing list just now specifically to \
complain.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">Certain packages in the RHEL7 DSU_18.06.00 packages are \
signed with the key 1285491434D8786F which appears to be the Debian/Ubuntu signing \
key. This is breaking both upgrades (moderately annoying) and new \
installations (super annoying).<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">In regards to Chandra's email.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <ul \
style="margin-top:0in" type="disc"> <li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">Yes, \
this is very challenging and inconvenient. We would very much prefer that the \
release be rolled back until fixed<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">It is \
possible to do SHA-2 signatures with the existing DSU key<o:p></o:p></span></li><li \
class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span \
style="font-size:11.0pt">Changing the keys used to sign your packages is not a minor \
change because all established trust configurations must be \
updated<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">Dell's \
documented process for setting up new systems doesn't work because it only installs \
the 1024-bit DSU key.<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">It is \
true that the current DSU GPG key is 1024-bits which is too small. It is true \
that the current signatures are SHA-1 which are too weak. Signing should migrate to \
a 2048 or 4096 bit key with SHA-2 but this needs to be planned and \
communicated.<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l0 level1 lfo1"><span \
style="font-size:11.0pt">Improving the security of your packages requires that all \
packages (not just some) be signed with a stronger key with a stronger \
signature. So long as we are required to trust a weak key having some packages \
signed by a strong key doesn't improve security at all.<o:p></o:p></span></li></ul> \
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Again, please backout the RHEL7 \
release. It's broken and we have to stop tracking you until the dsu symlink \
points at a working release.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">james<o:p></o:p></span></p> </div>
</body>
</html>
_______________________________________________
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge
--===============8850343251968110995==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic