On Sun, 2002-07-21 at 21:03, Matthew Miller wrote: > On Mon, Jul 22, 2002 at 06:30:15AM +0800, John Morris wrote: > > If you're ultra-paranoid, it's conceivable that someone upstream of the > > remote location could hijack the install, substituting the install images > > and RPMs (are the digital signatures even checked by the installer?). Might > > take quite a lot of work, but it's doable. Am I really that paranoid? :) > > I think having the installer check the signatures would be a better answer > to the paranoia, yeah? Give me a way to securely get an arbitrary number of GPG keys and assign trust values to them and then maybe we can come back to the checking GPG signatures during the install. Until then, it's a moot point because I either have to take the up2date route (embed the Red Hat GPG-KEY in the installer sources, then you can't customize a package list without rebuilding the installer or there's something like having RHupdates/GPG-KEY but that doesn't address trust concerns at all) or ask you for a GPG key on a floppy, which is kind of crappy for a) kickstart and b) all the people without floppies. Cheers, Jeremy
