On Tue, 21 Feb 2006, Eric Rostetter wrote: > I've added the following to the web site: > > http://www.fedoralegacy.org/docs/yum-fc3.php > > and would appreciate testing, feedback, etc. Thanks! Hey Eric, I think you have done a wonderful job with this web-page. The instruc- tions are clear, concise, easy-to-read and understand, even by a Linux novice, and seem to cover all of the technical points necessary for a Fedora Core 3 user to get his/her system(s) to use YUM to continue keeping his/her system up-to-date with Fedora Legacy updates, and to do so securely. It is also well-formatted and looks professional. Good job! STEP 2 AND STEP 1.4 I am wondering ... it seems to me that we included code in the RPM "legacy-yumconf-3-4.fc3.noarch.rpm" that includes and automatically installs the Fedora Legacy GPG key when this RPM package is installed. Can someone confirm or deny that? If so, then "Step 2: Configure yum for Fedora Legacy" already takes care of the work that Step 1.4 asks the user to do. HOWEVER, as the legacy-yumconf RPM file itself is signed by the Fedora Legacy key, the "rpm -Uvh" step in step 2 would be downloading and installing the legacy-yumconf package without the benefit of the Legacy GPG key to check to make sure it is not tampered with. So it seems to me that Step 1.4 isn't necessarily a duplication of effort, as it verifies that the legacy-yumconf package installed in Step 2 is signed with the key installed in Step 1.4. It seems a little more secure to go ahead and let users *do* step 1.4, and if they're lazy and don't want to do it, it gets done for them anyway. SO, is my interpretation correct? Do we need to ask the user still to do Step 1.4 if Step 2 takes care of it? Considering the warning the user may get in Step 2 if Legacy's key isn't already installed -- ("warning: legacy-yumconf-3-4.fc3.noarch.rpm: V3 DSA signature: NOKEY, key ID 731002fa") -- would that be confusing enough to warrant keeping Step 1.4 there and asking the user to do it? If we removed Step 1.4, would we introduce some kind of risk to the user -- say, if a Fedora Legacy downloading site or mirror were to be compromised by some attacker, who might put in his/her own legacy-yumconf package and install a gpg key of his/her choice? By the way, the legacy-yumconf rpm the user installs not only updates this user's YUM configuration, it also updates the user's up2date configuration as well, if the user is inclined to use the up2date tool, and the RHN desktop icon (I believe). (Please correct me if I am wrong.) Do we need updated up2date documentation for Fedora Core 3? Core 2 as well? STEP 7 Was thinking that maybe a little more information about how to get more detailed knowledge about yum would be appropriate here. Something like, "For more information about these yum commands and other yum abilities, do 'man yum' or go to <yada yada> website." What do you think? Warm regards, David Eisenstein -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
