Whom should I put my trust?
Chris Kloiber
ckloiber at redhat.com
Tue Nov 25 07:09:51 UTC 2003
On Tue, 2003-11-25 at 15:04, Axel Thimm wrote:
> On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote:
> > On Tue, 2003-11-25 at 05:12, Timothy Ha wrote:
> > > Thank you!
> > >
> > > I still have some questions (not doubts): With thrilling stories like
> > > someone break into Linux kernel source, how do you guarant the quality
> > > of the repositories? Security updates, system tools and so on are there.
> > >
> > > Will Redhat be some guarantee to all these things?
> >
> > Not necessarily, but...
> >
> > The packages are all signed with GPG if they are officially part of the
> > Fedora project. Your up2date/apt/yum should be configured to check these
> > signatures before installing anything, and to scream "bloody-blue
> > murder" if they are not correctly signed.
>
> Well, almost all non-redhat.com repos are GPG signing as well. GPG
> signed packages with keys from the same originating site only ensures
> that you get what the packager produced. The difference being that I
> would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;)
>
> > You should be able to find the official keys and and explanation of
> > their uses here:
> >
> > http://fedora.redhat.com/about/security/
>
> Maybe RH could consider verifying some IDs of packagers/repos and sign
> their keys (and vice versa, RH's key is not signed by any other key)?
> That would be a good establishment to create a true web of trust.
Oh, part of that is here:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x54A2ACF1
--
Chris Kloiber
Red Hat, Inc.
More information about the fedora-list
mailing list