Should I worry about it?

1 Like

" The CloudLinux developer found that it could update or patch unauthorized RPM packages, either because they were unsigned or signed with revoked or expired keys ."

So I wouldn’t think so. All packages in Fedora are signed with keys that have not expired.

I do hope a CVE has been filed by now:


It’s ZDNet click-bait it’s not a major security bug and it’s been known forever that RPM trusts revoked PGP keys same way you would if you didn’t receive the revocation. GPG doesn’t automatically check for key revocation, either. You can even install unsigned packages with RPM without warning. Reading the discussion in the upstream issue should be enlightening.


Thanks for the answers.