Re: [Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: Detached signatures (#1482)

> @mlschroe Sadly, Fedora doesn’t sign its metadata. We don't need to as we use metalinks. In the metalink is the checksum(s) for the valid repomd.xml file. If someone tampers with the repodata it will not match and the client will go on to the next one. But thats likely offtopic for this

Re: [Rpm-maint] [rpm-software-management/rpm] Bring back Python2 support (#1505)

I guess that is a no go anyway, looking at commit 67f8f2b01d00f03f2d6c072fb2697d3860abe47b We will solve it otherwise ... Closing -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub:

Re: [Rpm-maint] [rpm-software-management/rpm] Bring back Python2 support (#1505)

Closed #1505. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1505#event-4215470601___ Rpm-maint mailing list

Re: [Rpm-maint] [rpm-software-management/rpm] Bring back Python2 support (#1505)

@pmatilai hi, would it be unrealistic to get back support for Python2? Some of our tools still use Python2 bindings and install them via `rpm-py-installer`, but with rpm-4.16 this does not work anymore. So our tools are not installable nicely with Fedora-33 and Rawhide. This would give us a bit

Re: [Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: have a “master signature” that signs the signature header (#1504)

Closed #1504. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1504#event-4214971054___ Rpm-maint mailing list

[Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: have a “master signature” that signs the signature header (#1504)

The RPM signature header is growing more and more complex, with new types such as per-file and fsverity signatures being added. This increases the risks of bugs in its parsing. Since the signature header is not itself signed, these bugs are critical security vulnerabilities. I propose that

Re: [Rpm-maint] [rpm-software-management/rpm] Avoid negating an attacker-controlled signed integer (#1502)

@DemiMarie pushed 0 commits. -- You are receiving this because you are subscribed to this thread. View it on GitHub: https://github.com/rpm-software-management/rpm/pull/1502/files/706e7c2e11eecaaab0953eb68618fe2f34aaed99..28e97bacfc011d2304d494f8762d69ed73cde68e

Re: [Rpm-maint] [rpm-software-management/rpm] Avoid negating an attacker-controlled signed integer (#1502)

@DemiMarie pushed 1 commit. 706e7c2e11eecaaab0953eb68618fe2f34aaed99 Check that the blob is long enough for a region -- You are receiving this because you are subscribed to this thread. View it on GitHub:

Re: [Rpm-maint] [rpm-software-management/rpm] Forbid tag data with count zero (#1496)

@DemiMarie pushed 1 commit. 282ff55d448f85cfdbd94348badea14cd8cac9bb Tag data must have count greater than zero -- You are receiving this because you are subscribed to this thread. View it on GitHub:

Re: [Rpm-maint] [rpm-software-management/rpm] Check that count and data length are reasonable (#1492)

@DemiMarie pushed 1 commit. 8f0c8600f1bc25dd9b724ee4d4086fc0bf91827c Check that count and data length are reasonable -- You are receiving this because you are subscribed to this thread. View it on GitHub:

Re: [Rpm-maint] [rpm-software-management/rpm] Reject signatures outside of signature header (#1503)

@DemiMarie pushed 1 commit. 4acff44a2f438921445ecb93f7d85e781292f0a3 Reject signatures in immutable headers -- You are receiving this because you are subscribed to this thread. View it on GitHub: