Re: rpm --import

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-01-07 at 13:25, Ralf Ertzinger wrote:
> Hi.
> 
> Jay Turner <jkt@xxxxxxxxxx> wrote:
> 
> > Security.  It's generally a good idea to validate that the key you're
> > adding to the keyring is really the one that you think it is, and if
> > this keyring addition were done automatically, then someone could switch
> > out the keys, thus a malicious key would be automatically added to the
> > keyring. Things start to go downhill from that point.
> 
> Well, I generally have to trust the media I install from anyway, so what
> is the point in treating a single file different from all the others?

I also trust the media I install from. Someone with access to replace
the key in the first place would also be able to add the key to the
keyring automagically.

But the result that I have seen because of the need to manually add the
key to the keyring is that people tend to just disable gpg checking in
the yum config.

Btw, is the key even installed in minimal config? I couldn't find it.

Thus becoming vulnerable if some mirror site gets hacked.

-HK


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux