Discussion of content, security Re: FC3 yum instructions

David Eisenstein deisenst at gtw.net
Sun Feb 26 10:20:26 UTC 2006 

On Tue, 21 Feb 2006, Eric Rostetter wrote:

> I've added the following to the web site:
> 
>    http://www.fedoralegacy.org/docs/yum-fc3.php
> 
> and would appreciate testing, feedback, etc.  Thanks!

Hey Eric,

I think you have done a wonderful job with this web-page.  The instruc-
tions are clear, concise, easy-to-read and understand, even by a Linux
novice, and seem to cover all of the technical points necessary for a
Fedora Core 3 user to get his/her system(s) to use YUM to continue keeping
his/her system up-to-date with Fedora Legacy updates, and to do so
securely.  It is also well-formatted and looks professional.  Good job!


STEP 2 AND STEP 1.4

I am wondering ... it seems to me that we included code in the RPM
"legacy-yumconf-3-4.fc3.noarch.rpm" that includes and automatically 
installs the Fedora Legacy GPG key when this RPM package is installed.
Can someone confirm or deny that?  If so, then "Step 2: Configure yum for 
Fedora Legacy" already takes care of the work that Step 1.4 asks the user 
to do.  

HOWEVER, as the legacy-yumconf RPM file itself is signed by the Fedora
Legacy key, the "rpm -Uvh" step in step 2 would be downloading and
installing the legacy-yumconf package without the benefit of the Legacy
GPG key to check to make sure it is not tampered with.  So it seems to me 
that Step 1.4 isn't necessarily a duplication of effort, as it verifies
that the legacy-yumconf package installed in Step 2 is signed with the
key installed in Step 1.4.

It seems a little more secure to go ahead and let users *do* step 1.4, and
if they're lazy and don't want to do it, it gets done for them anyway.

SO, is my interpretation correct?  Do we need to ask the user still to do
Step 1.4 if Step 2 takes care of it?  Considering the warning the user may
get in Step 2 if Legacy's key isn't already installed --
   ("warning: legacy-yumconf-3-4.fc3.noarch.rpm: V3 DSA signature: NOKEY,
   key ID 731002fa")

-- would that be confusing enough to warrant keeping Step 1.4 there and
asking the user to do it?  If we removed Step 1.4, would we introduce some
kind of risk to the user -- say, if a Fedora Legacy downloading site or
mirror were to be compromised by some attacker, who might put in his/her
own legacy-yumconf package and install a gpg key of his/her choice?

By the way, the legacy-yumconf rpm the user installs not only updates this 
user's YUM configuration, it also updates the user's up2date configuration
as well, if the user is inclined to use the up2date tool, and the RHN 
desktop icon (I believe).  (Please correct me if I am wrong.)  Do we
need updated up2date documentation for Fedora Core 3?  Core 2 as well?


STEP 7

Was thinking that maybe a little more information about how to get more
detailed knowledge about yum would be appropriate here.  Something like,
"For more information about these yum commands and other yum abilities, do
'man yum' or go to <yada yada> website."  What do you think?

	Warm regards,
	David Eisenstein

More information about the fedora-legacy-list mailing list