Yum is great, but do you trust them?

Dan Stoner dstoner at flmnh.ufl.edu
Wed Feb 11 15:26:09 UTC 2004 

Thanks to everyone who posted and gave detailed responses.  I feel 
better about using Fedora in general, and now have my linux box updating 
daily using yum.

To summarize, and combined with some other threads on this list, info on 
the web, etc....

how to set up Yum updating on fedora core 1:

1.  import the fedora GPG key so we can verify the integrity of the 
downloaded packages.

  rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora

2.  modify /etc/yum.conf to enable gpg checking and to use the mirrors 
of my choice.  Note that the directory structure of the mirrors seems to 
be different than what is in the default yum.conf.  The $releasever and 
$basearch variables _should_ allow us to move beyond fedora core 1 
without having to change the yum.conf file.

[base]
name=Fedora Core $releasever - $basearch - Base
#baseurl=http://fedora.redhat.com/releases/fedora-core-$releasever
baseurl=http://www.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/$releasever/$basearch/os
gpgcheck=1

[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
#baseurl=http://fedora.redhat.com/updates/released/fedora-core-$releasever
baseurl=http://www.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/updates/$releasever/$basearch
gpgcheck=1

3.  update!

  yum update

4.  enable the yum service, which uses a daily cron job to get updates 
automatically

  chkconfig yum on
  service yum start


Regards,

  Dan Stoner

Joel Jaeggli wrote:

> in /usr/share/rhn are two files...
> 
> RPM-GPG-KEY-fedora
> RPM-GPG-KEY-fedora-test
> 
> doing an:
> 
> rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
> 
> will import the fedora public key into rpm's keyring... the other is used 
> to sign the packages in the testing dir.
> 
> then add:
> 
> gpgcheck=1
> 
> to the server sections of your yum.conf
> 
> then you can: 
> 
> yum update 
> 
> without fear of bogus packages...
> 
> for third party packages and repositories like atrpms dag or freshrpms 
> there are generally more public keys you can add to validate those 
> packages as well...
> 
> 
> 
> On Tue, 10 Feb 2004, Dan Stoner wrote:
> 
> 
>>Joel Jaeggli wrote:
>>
>>
>>>place the pgp keys for the signers in your keyring then require pgp keys 
>>>for the repositories. then packages whose signatures can't be trusted or 
>>
>>How do I place the pgp keys into my keyring?
>>
>>My google search returned way to much information.
>>
>>Thanks!
>>
>>-Dan
>>
>>
>>
> 
>

More information about the fedora-list mailing list