On Wed, 2007-08-22 at 13:53 -0400, David Zeuthen wrote:
> On Wed, 2007-08-22 at 13:53 -0400, Jesse Keating wrote:
> > On Wed, 22 Aug 2007 13:44:31 -0400
> > Christopher Aillon <caillon@xxxxxxxxxx> wrote:
> >
> > > Why isn't Fedora's key imported by default?
> >
> > For the reason I listed above, we don't control the distribution of
> > Fedora. We hand it out to mirrors and encourage people download it
> > from !us. We can import the RHEL key by default because we control the
> > distribution mechanism. You can only get RHEL through us.
>
> Assume that Alice gets Fedora from Mallory's mirror. What prevents
> Mallory from patching the rpm and yum programs that end up on Alice's
> system to avoid honoring the keys that we, painfully, make her import?
(and if the answer is "Alice checks the MD5 sum of the ISO against
something from an official Fedora website that she trusts" (unlikely,
but..) then you just proved my case that including the GPG keys on the
ISO itself is fine too.)
David
--
Fedora-desktop-list mailing list
Fedora-desktop-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
