[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpm --import


Jay Turner <jkt redhat com> wrote:

> There's a hierarchy there.  Step 1 is validating that the signing key
> you have indeed came from the source you think it did (in this case Red
> Hat.) Once you establish that it's a known entity, then all of the
> packages on the Red Hat media (be it RHEL or Fedora) are signed with
> that key, so at that point you know that all of the packages originated
> from Red Hat as well (or the Fedora project in the case of Fedora.)  So
> you don't "have to trust the media [you] install from anyway" as the
> that content can be verified just as the key itself can.

OK, I think there is a slight misunderstanding. I did not mean to say that
I will swallow everything that says "Fedora Core 3 DVD" (or whatever) on
it and treat it as genuine. I can download it from anywhere, and check the
published checksums (which are signed) against my image. Leaving discussions
about hashing algorithms aside, I have thus established that my media is good.
So is the key, which is included on the media.

So we have two cases:

1) People who check that the media is genuine (signed checksums), and thus
   trust the media, and trust the keys on it, so the keys can be imported
   by the installer.

2) People who do not check the media (or have it checked by their admin or
   another knowledgeable person), and can so be persuaded to install almost
   anything. If the media is compromised, all bets are off, anyway. If the media
   is genuine nonetheless, they get the keys they need to trust the automatic
   updates (which is a good thing, in my book).

Maybe I am missing something here.

PS: the above just holds for media based installations.

"Wie? Man kann einen Computer auch ausschalten ?"
Kasuga in AnimeGer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]