> Alternatively, rpm signing could be enabled instead: > * run "gpg --install /usr/share/rhn/RPM-GPG-KEY" no - for yum 2.0.X and therefore rpm 4.1.1 or greater you want to run: rpm --import /usr/share/rhn/RPM-GPG-KEY > * have the yum.conf file always set gpgcheck=1 > This would at least ensure that if a cracker installed a trojan in the > duke yum repository, it would be rejected due to invalid signature. This was discussed sometime ago on the list and the reason for not setting gpgcheck=1 is fairly simple, most users have no concept of what the gpg checking does. It would just make it next to impossible for users to use the tool. I set it on my systems that I manage, but in general most users' don't use it. I think if red hat, for example, wanted to gpgcheck=1 on all of the repositories for the package of yum that is being provided in fedora core, then that would be great. But I think making it the default for program might cause other nightmares, especially considering that if gpgcheck=1 then an unsigned package == bad signature. but other people's thoughts are welcome here and default configs are easily modified in the package someone provides. -sv
