> Handling it like the key checking that ssh does (with a warning and an > option to continue) might be the way to go. yum does that now. It asks you if you want to import the key and you have to press y or n. > It would prevent some widespread trojan installation possible by a > popular third-party repo's key getting compromised, malicious repo > owners and possible future repo slap-fights. the only thing that will prevent that is if users wisen up about what they're doing. It's the same thing as what protects them from sending their CC to a nefarious site or one unprotected by encryption. They have to be aware of what's going on around them. > > It seems that right now, some owner of pooptastic-updates can offer up > the wonderful superfoo package, convince some users to install their > pooptastic.repo containing a URL to the pooptastic.key. At that point, > they could replace any package on your system at update time with little > indication to the user. If they already agreed to import the key, yes. -sv -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
