On Sat, 2005-11-26 at 22:59 -0500, Jeff Spaleta wrote: > In any event, once a package leaves a repository, there is no way to > know eaactly which repo it came from. You can't really trust the > reponame as defined in the config, I could rename updates-released > pooptastic-updates in the yum config and that name would have no > meaning to anyone else. Signing keys you can somewhat trust to be > authorative and unique, but signing keys are not unique per repository > tree. You can't know that a package came from updates-testing versus > updates-released based just on the package signatuire. Checking key consistency is a worthwhile check and likely a more important check than source repo anyways. It doesn't matter to me where a package comes from so long as I have the repo in my repo.d and it is signed by someone I trusted for that package previously. Handling it like the key checking that ssh does (with a warning and an option to continue) might be the way to go. It would prevent some widespread trojan installation possible by a popular third-party repo's key getting compromised, malicious repo owners and possible future repo slap-fights. It seems that right now, some owner of pooptastic-updates can offer up the wonderful superfoo package, convince some users to install their pooptastic.repo containing a URL to the pooptastic.key. At that point, they could replace any package on your system at update time with little indication to the user. Is this correct? /Mike -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
