View Issue Details

IDProjectCategoryView StatusLast Update
0018018CentOS-8generalpublic2021-01-15 10:54
Reportercndc Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.3.2011 
Summary0018018: Packages signed with unknown keys install and work - this is a major security issue - malware should always be rejected.
DescriptionRunning "mock -r epel-8-x86_64 --init" reports a number of packages signed with unknown keys (alarmingly - I think it includes a package which installs new keys!!)

Unknown keys mean anyone/any mirror can inject their own malware-ridden versions to get total compromise of victim systems.

Unless we specifically decide to accept broken/suspect packages, NOTHING should ever use or install them without failing.
Steps To ReproduceRun:

mock -r epel-8-x86_64 --init
Additional InformationIt currently produces warnings. This is not appropriate for mistakes with such potentially catastrophic implications.

All security-related warnings need to be errors which halt.
Tagssecurity

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-01-15 10:54 cndc New Issue
2021-01-15 10:54 cndc Tag Attached: security