On 7 Mar 2003, seth vidal wrote: > > > Is there any way to fully encapsulate gpg keychecking? As in, have yum > > always check gpg signatures and never tell you about it unless they fail > > to match? Or is there something chicken-and-eggish about this... > > Chicken-and-eggish. > > 1. you don't know which keys to trust > 2. you don't know where to get the keys necessarily > 3. you never know what whack stuff get installed. ... <deleted> ... > Right now with rpm 4.2 gpg key importing is trivial. > > absolutely trivial. > > So there is little excuse for not grabbing a key and using it. > > even if yum doesn't implement 'yum importkey' it's still a trivial > operation - literally one command with rpm. Hmmm, something a bit self-contradictory in these two viewpoints. It's trivial, but can't be encapsulated? What's wrong with setting up an ssl-auth'd "key repository" to parallel the yum repositories (to manage 1,2 on an institutional basis)? 3. is <sigh> always a problem, but one that yum manages now by just ignoring locally installed RPM's, which are the ones I'd list as "NA" unless the local builder supplies a key in the local repository. Maybe it isn't worth it because we already trust that YOU'VE done the keychecking for everything in the repository, and we can't do any better than run off and remain sync'd with the repository only anyway for those RPM's that it supplies... rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx
