A few days ago, PackageCloud published a blog post on “attacks against GPG signed APT repositories” , and since I am involved in both the Fedora Project Infrastructure and Release Engineering teams, I figured I’d give some insight in how the Fedora Project secures our update delivery. Note that my remarks are all about the default Fedora Project repositories as shipped with Fedora. Signed packages First of all, all RPM packages shipped by the Fedora Project are GPG-signed.
4 min read
Update 2020-02-05: This continues to work for Fedora 31 on Podman running UBI8 ( Introduction I now do most of my development work in a setup based on RPM-OSTree with my own trees , and doing most of my development work inside containers . However, I do still work for Red Hat, so would like to test stuff against Red Hat Enterprise Linux-based platforms, but as you might be aware getting the required entitlements setup is considered “difficult”, so I did as probably a lot of people do: I used CentOS containers, just because they don’t require fiddling with the entitlement stuff.
4 min read
Well, the switch has happened this morning (2015-07-15): Fedora Infrastructure upgraded the authentication infrastructure, which is the web application that does the authentication of users for our web applications, from FedOAuth to Ipsilon ! There had been an outage scheduled this morning at 08:00 until 10:00 UTC this morning for the migration, and at 09:30 the OpenID services were all back available and at 10:00 all services that Fedora Infrastructure runs were working again! (Persona took longer due to a mistake on my part with published public keys not belonging to the keys actually used, sorry for that).
1 min read