On Fri, 2005-01-07 at 13:25, Ralf Ertzinger wrote: > Hi. > > Jay Turner <jkt@xxxxxxxxxx> wrote: > > > Security. It's generally a good idea to validate that the key you're > > adding to the keyring is really the one that you think it is, and if > > this keyring addition were done automatically, then someone could switch > > out the keys, thus a malicious key would be automatically added to the > > keyring. Things start to go downhill from that point. > > Well, I generally have to trust the media I install from anyway, so what > is the point in treating a single file different from all the others? I also trust the media I install from. Someone with access to replace the key in the first place would also be able to add the key to the keyring automagically. But the result that I have seen because of the need to manually add the key to the keyring is that people tend to just disable gpg checking in the yum config. Btw, is the key even installed in minimal config? I couldn't find it. Thus becoming vulnerable if some mirror site gets hacked. -HK
