View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018018||CentOS-8||general||public||2021-01-15 10:54||2021-01-15 10:54|
|Summary||0018018: Packages signed with unknown keys install and work - this is a major security issue - malware should always be rejected.|
|Description||Running "mock -r epel-8-x86_64 --init" reports a number of packages signed with unknown keys (alarmingly - I think it includes a package which installs new keys!!)|
Unknown keys mean anyone/any mirror can inject their own malware-ridden versions to get total compromise of victim systems.
Unless we specifically decide to accept broken/suspect packages, NOTHING should ever use or install them without failing.
|Steps To Reproduce||Run:|
mock -r epel-8-x86_64 --init
|Additional Information||It currently produces warnings. This is not appropriate for mistakes with such potentially catastrophic implications.|
All security-related warnings need to be errors which halt.