[13.Eyl.07 01:36 +0300] Sertaç Ö. Yıldız:
[12.Eyl.07 15:43 -0400] seth vidal:
On Wed, 2007-09-12 at 21:42 +0200, Nicolas Mailhot wrote:
I hope yum has a check somewhere to forbid installation of unknown
default-on repositories.
how on earth would yum know? Do you want yum to have special behavior if it
detects a .repo file?
Not for .repo files, but it would be nice to check for GPG keys it installs.
On a second thought, I realized that yum cannot do anything about trust
at the moment. And my mindset about trust here (based on public keys
being installed or not) was completely flawed. I’ve seen a package
executing “rpm --import” from postinstall scriptlet and maybe it’s
possible even from preinstall.
If I cannot express my distrust on a repository (or specifically
a public key) I cannot express my trust either. And probably this must
be solved at the rpm level.
Rpm apparently has some (undocumented) code about this:
| $ rpm --trust
| --trust: missing argument
But IIUC at the moment it handles the situation similar to what I’d
thought: NOTTRUSTED is similar to NOKEY.
As it is, GPG signature verification reduces to a mere integrity check
if one wants to use external repositories.
--
~sertaç
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
