On Thu, Jun 05, 2014 at 10:46:14AM +0200, Miroslav Suchý wrote: > >Is there a way to neutralize such packages that does not involve explicit > >replacement of signing keys on every system trusting the abused keys? > I am not aware of any method.
At one of my previous jobs, we planned but never had to use an approach for this: an update to the '-release' RPM which included a post script to remove the compromised key from systems. -- Matthew Miller <mat...@fedoraproject.org> Fedora Project Leader -- security mailing list security@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/security
