On Sun, 2005-11-27 at 10:05 -0500, seth vidal wrote: > > Handling it like the key checking that ssh does (with a warning and an > > option to continue) might be the way to go. > > yum does that now. It asks you if you want to import the key and you > have to press y or n. Not quite what I was referring to. I am talking about long after you have accepted a key initially and the key is added to your ~/.ssh/known_hosts file. The check that I refer to is the one where the host presents a key and you have a different one in the known_hosts file for that host. ssh complains *very* loudly and gives a clear indication why this is an issue (MITM attack). > > It would prevent some widespread trojan installation possible by a > > popular third-party repo's key getting compromised, malicious repo > > owners and possible future repo slap-fights. > > the only thing that will prevent that is if users wisen up about what > they're doing. It's the same thing as what protects them from sending > their CC to a nefarious site or one unprotected by encryption. They have > to be aware of what's going on around them. Undoubtedly wise users would be desired (so would money growing on trees). However, even the wisest user would have to pay very close attention to prevent a repo from swapping out its yum.repos.d file (something that might be expected from repos that maintain rpms containing those config files and are updating their mirrors lists, etc.) with one that had a [base] or [extras] stanza in it (something that would be invisible and make future meddling next to invisible). Security being a multi-layered thing, what I am suggesting is that, on top of wizening the users as you suggested, giving the foolish users clear indication that something nasty is amiss is desirable. > > It seems that right now, some owner of pooptastic-updates can offer up > > the wonderful superfoo package, convince some users to install their > > pooptastic.repo containing a URL to the pooptastic.key. At that point, > > they could replace any package on your system at update time with little > > indication to the user. > > If they already agreed to import the key, yes. rpm -qai gpg-pubkey* indicated 10 keys from various repos and developers that I have installed packages from in the past. You are saying that any one of those key owners can freely replace any package on your system with little indication to the user that this is being done. That makes me want to use rpm -i --nosignature rather than yum for small independent developers offering yum repos of their stuff to prevent them from getting inside that wall where no subdivisions exist; which kind of detracts from the usefulness of yum. /Mike -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list