status of up2date and rhn-applet

[Michael Wiktowy]

On Sat, 2005-11-26 at 22:59 -0500, Jeff Spaleta wrote:
> In any event, once a package leaves a repository, there is no way to
> know eaactly which repo it came from.  You can't really trust the
> reponame as defined in the config, I could rename updates-released 
> pooptastic-updates in the yum config and that name would have no
> meaning to anyone else. Signing keys you can somewhat trust to be
> authorative and unique, but signing keys are not unique per repository
> tree. You can't know that a package came from updates-testing versus
> updates-released based just on the package signatuire.

Checking key consistency is a worthwhile check and likely a more
important check than source repo anyways. It doesn't matter to me where
a package comes from so long as I have the repo in my repo.d and it is
signed by someone I trusted for that package previously.

Handling it like the key checking that ssh does (with a warning and an
option to continue) might be the way to go.
It would prevent some widespread trojan installation possible by a
popular third-party repo's key getting compromised, malicious repo
owners and possible future repo slap-fights.

It seems that right now, some owner of pooptastic-updates can offer up
the wonderful superfoo package, convince some users to install their
pooptastic.repo containing a URL to the pooptastic.key. At that point,
they could replace any package on your system at update time with little
indication to the user.

Is this correct?

/Mike