Bug 8421 - Instructions to verify RPM signatures misses good security practices
Summary: Instructions to verify RPM signatures misses good security practices
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Documentation (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-06 16:54 CEST by William Sjöblom
Modified: 2024-09-10 13:29 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description William Sjöblom cendio 2024-09-06 16:54:40 CEST 
- https://www.cendio.com/resources/docs/tag/install_install.html#verifying-the-server-rpm
- https://www.cendio.com/resources/docs/tag/client_linux.html#verifying-the-client-rpms

Right now, these sections *assumes* the user is aware of good security practices. An example of this could for example be downloading the public key at different times from different places and comparing it.

As it stands right now, reading these sections makes it sound like verifying the RPMs using the public key in the same ZIP is a valid way to ensure authenticity of the RPMs.

The fact that we do not mention such practices is problematic for two reasons:

1. New users may get a false sense of trust by missing out on these security practices. 

2. Experienced users that know about these practices may loose confidence in Cendios general security practices for failing to mention it.
Note You need to log in before you can comment on or make changes to this bug.