[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpm --import



On Fri, 2005-01-07 at 13:25, Ralf Ertzinger wrote:
> Hi.
> 
> Jay Turner <jkt redhat com> wrote:
> 
> > Security.  It's generally a good idea to validate that the key you're
> > adding to the keyring is really the one that you think it is, and if
> > this keyring addition were done automatically, then someone could switch
> > out the keys, thus a malicious key would be automatically added to the
> > keyring. Things start to go downhill from that point.
> 
> Well, I generally have to trust the media I install from anyway, so what
> is the point in treating a single file different from all the others?

I also trust the media I install from. Someone with access to replace
the key in the first place would also be able to add the key to the
keyring automagically.

But the result that I have seen because of the need to manually add the
key to the keyring is that people tend to just disable gpg checking in
the yum config.

Btw, is the key even installed in minimal config? I couldn't find it.

Thus becoming vulnerable if some mirror site gets hacked.

-HK


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]