Unsigned RedHat 7.2 RPMs

Aaron_Adams · 10-26-2001, 07:58 PM

Did you hear about this JimH?

I heard that RH forgot to sign a bunch of their 7.2 packages, and people are worried that untrusted sources may start distributing them with added "features" that could cause a tad bit of havoc. Have they done anything about it yet? Re-released them signed or anything?

(Sorta older news maybe, but it just came to my mind as something that was mentioned on a mailinglist a bit ago)

JimH · 10-26-2001, 08:43 PM

Did you hear about this JimH?

I heard that RH forgot to sign a bunch of their 7.2 packages, and people are worried that untrusted sources may start distributing them with added "features" that could cause a tad bit of havoc. Have they done anything about it yet? Re-released them signed or anything?

(Sorta older news maybe, but it just came to my mind as something that was mentioned on a mailinglist a bit ago)

Yes, silly mistake by RedHat. It was only 2 rpm's. They were rpmdb and redhat-release. They have released updated rpm's for these. It is really a non-issue. If someone where to change the rpm and insert some kind a malicious code, it would change the md5sums on the re-packaged ISO images. It has been blown out of proportion by some people.

Jim H

Aaron_Adams · 10-27-2001, 01:53 AM

Oh. I thought that they didn't do MD5 sums on them either. Wierd. Ah well, glad its small. People tend to take things way out of proportion don't they.

From the story I heard, it was a lot more serious then it is. Thats why I got ask the vets lol.
Anyways thx for the info.

Aaron