On Wed, 22 Aug 2007 17:46:47 +0100 "Richard Hughes" <hughsient@xxxxxxxxx> wrote: > Also, my view is that questions should never be asked. Who has ever > clicked no to "Load GPG key from Fedora Project"? Is there a legal > requirement to show such a warning? > > So, I hope that has cleared things up a bit. Comments and suggestions > welcome. There aren't requirements, however given that our software is mirrored around the world and our tools are made easy to make your own Fedora, it's possible that somebody could start handing out spoofed Fedoras. If the key you're asking to import says it's Fedora, but the public key servers don't match this key, that's a very quick indication that you should stop using the system as it's been compromised in some way. Also it's easy enough to install some piece of software off the net that drops a yum repo file in place and starts handing you packages from another repo. You should get the opportunity to confirm your trust in this repo before it starts replacing all kinds of packages in your system.. (now said packages that drop a repo file could just easily set gpgcheck=no and bypass all the trust issues, but that's neither here nor there) I will happily admit that our dialogs don't say any of this and just assume that the user "gets" all this automatically. -- Jesse Keating Fedora -- All my bits are free, are yours?
Attachment:
signature.asc
Description: PGP signature
-- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
