David Eisenstein wrote:
STEP 2 AND STEP 1.4
I am wondering ... it seems to me that we included code in the RPM
"legacy-yumconf-3-4.fc3.noarch.rpm" that includes and automatically
installs the Fedora Legacy GPG key when this RPM package is installed.
Can someone confirm or deny that? If so, then "Step 2: Configure
yum for
Fedora Legacy" already takes care of the work that Step 1.4 asks
the user
to do.
HOWEVER, as the legacy-yumconf RPM file itself is signed by the Fedora
Legacy key, the "rpm -Uvh" step in step 2 would be downloading and
installing the legacy-yumconf package without the benefit of the
Legacy
GPG key to check to make sure it is not tampered with. So it seems
to me
that Step 1.4 isn't necessarily a duplication of effort, as it
verifies
that the legacy-yumconf package installed in Step 2 is signed with the
key installed in Step 1.4.
It seems a little more secure to go ahead and let users *do* step
1.4, and
if they're lazy and don't want to do it, it gets done for them anyway.
SO, is my interpretation correct? Do we need to ask the user still
to do
Step 1.4 if Step 2 takes care of it? Considering the warning the
user may
get in Step 2 if Legacy's key isn't already installed --
("warning: legacy-yumconf-3-4.fc3.noarch.rpm: V3 DSA signature:
NOKEY,
key ID 731002fa")
-- would that be confusing enough to warrant keeping Step 1.4 there
and
asking the user to do it? If we removed Step 1.4, would we
introduce some
kind of risk to the user -- say, if a Fedora Legacy downloading
site or
mirror were to be compromised by some attacker, who might put in
his/her
own legacy-yumconf package and install a gpg key of his/her choice?
Would it be possible to get legacy-yumconf signed with the regulat
(non-legacy) FC3 key?
Nils.
--
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
