Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Say I already trust packages.redhat.com and install rpms regularly from it. I likely already have trusted their key.

Now packages.redhat.com gets hacked - if hacker also stole private key used for signing packages and replaced the RPMs. I will get warning/error while installing rpms (which I admit most users will ignore) but a curl|bash kinda defeats the point of package signing too.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: