>
> Redhat's up2date requires the key, and displays a nice message/offers to
> do it ("rpm --import /usr/share/rhn/RPM-GPG-KEY") for you. yum could do
> something similar, I guess, but now we're getting distro specific.
>
> Definitely a trade off.
well if its going to import the key for you what's the point of having
it on? an attacker can just trojan the key, right?
I could definitely see a point in having a default key listed that yum
will import if it can - but how do you do that safely?
-sv
