Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 5 Nov 2004, seth vidal wrote:

> > The current model is that they're all the same.  Look at our tools; look
> > at yum and up2date.  They don't know anything about which key is which,
> > just which key you've said you trust (not even what you trust it for, or
> > how much).  The only real difference, and certainly the only one in the
> > minds of the vast majority of our users, is that one comes in rpm's key
> > list by default and one does not.

What in rpm's key list by default? I thought the user does an explicit
'rpm --import'

> An RFE for yum has been to provide a list of gpg keyids that are valid
> per-repository.
> 
> So then the gpgcheck process would be:
> 
> 1. check if the sig exists
> 2. check if the sig is valid
> 3. if both are true, check to see if the keyid matches on the allowed
> keyid for packages from that repo.

A couple of questions here.

- What key is used for this purpose (to sign the metadata)?
- Where does the user store this public key?
- What prevents the clueless users from having the same expecation from
  a gpg-signed metada-repo as they have with gpg-signed packages?

thanks,
Satish


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]