On Tue, 27 Apr 2004, R P Herrold wrote:
> On Tue, 27 Apr 2004, Lance Davis wrote:
>
> > I think the key should be installed automatically as part of the install
> > process - but dont know how / why it isnt ...
>
> Two schools of thought there -- When doing a local RO media
> install, one assumedly trusts the media to not have been
> tampered with, and it should be added [the use of the media is
> a manual act of trust]; when doing a wire install, unless
> there is an prior affirmative act on the chain of trust
> [manual installation of the key from a trusted source], it is
> probably reasonable to not do (rpm as a matter of strict
> policy runs without user intervention).
But surely - if the key is not the correct one - ie is a trojan, then the
packages may also have been signed with the trojanned key anyway - because
they are being downloaded from the same source .....
The key should really not be sourced from a mirror I guess, only from the
root repo, or the key md5sum should be checked . ???
Lance
--
uklinux.net - The ISP of choice for the discerning Linux user.
