[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Trusting repositories (was: Re: Announcing rpmfusion)



[13.Eyl.07 01:36 +0300] Sertaç Ö. Yıldız:
[12.Eyl.07 15:43 -0400] seth vidal:
On Wed, 2007-09-12 at 21:42 +0200, Nicolas Mailhot wrote:
I hope yum has a check somewhere to forbid installation of unknown default-on repositories.

how on earth would yum know? Do you want yum to have special behavior if it detects a .repo file?

Not for .repo files, but it would be nice to check for GPG keys it installs.

On a second thought, I realized that yum cannot do anything about trust at the moment. And my mindset about trust here (based on public keys being installed or not) was completely flawed. I’ve seen a package executing “rpm --import” from postinstall scriptlet and maybe it’s possible even from preinstall.

If I cannot express my distrust on a repository (or specifically a public key) I cannot express my trust either. And probably this must be solved at the rpm level.

Rpm apparently has some (undocumented) code about this:
| $ rpm --trust
| --trust: missing argument

But IIUC at the moment it handles the situation similar to what I’d thought: NOTTRUSTED is similar to NOKEY.

As it is, GPG signature verification reduces to a mere integrity check if one wants to use external repositories.

--
~sertaç


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]