On 8/22/07, Jesse Keating <jkeating@xxxxxxxxxx> wrote: > On Wed, 22 Aug 2007 13:53:40 -0400 > David Zeuthen <davidz@xxxxxxxxxx> wrote: > > > Assume that Alice gets Fedora from Mallory's mirror. What prevents > > Mallory from patching the rpm and yum programs that end up on Alice's > > system to avoid honoring the keys that we, painfully, make her import? > > I honestly don't have an answer for this. They could. Should we then > just throw out any and all verification utilities? That would make > life easier. No, that's not the point. The MD5 checksum we have in place now are useful and should be kept. The point is that with those measures in place, why don't we just ship the Fedora GPG by default? Kristian -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
