PackageKit Misconceptions
Alexander Boström
abo at kth.se
Sat Sep 1 08:05:21 UTC 2007
On Wed, 2007-08-22 at 13:55 -0400, Colin Walters wrote:
>
> The obvious default policy to me is:
>
> * Fedora trusts the GPG keys it ships
> * All other keys are denied
I'd say:
* PackageKit trusts the GPG keys that are in /etc/pki.
* All other keys are denied.
Yum, on the other hand, does ask and show a fingerprint, but it also
shows the path to the key (IIRC), so the smart user can see if it's a
trusted key from /etc/pki or if it's an unknown key that she needs to
check.
> The scenario where this does break down is installing software from
> other sites like livna. If we have some sort of hoop there in the
> process that's probably fine. Maybe you have to "sudo rpm -ivh
> http://livna.org/gpg.asc", or click some dialog. Firefox makes users
> installing extensions wait 3 seconds.
Yup. Which is basically what we have today. You do
rpm -ivh http://www.3dparty.org/3rdpart-release.rpm
That puts the key in /etc/pki, which means you've agreed to trust it. As
long as 3dparty.org is a good repo and you're net being MITM:d, it's
fine. And it's a manual step that requires doing stuff in a root shell
or responing with the root password when you click on the rpm link in
the browser. There's room for improvement here though, perhaps if some
legally and technically sane way of helping the use figure out who to
trust can be found.
/abo
More information about the Fedora-desktop-list
mailing list