[CentOS-devel] Re: Point yum repos to centos gpg key in /etc/pki/

Peter Kjellstrom cap at nsc.liu.se
Mon Feb 25 20:50:11 UTC 2008


On Monday 25 February 2008, Scott Silva wrote:
> on 2/25/2008 10:40 AM Jeff Sheltren spake the following:
> > On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:
...
> >> I STILL think pointing to the http://mirror.centos.org/ site is best
> >> for the web enabled CentOS-Base.repo file.
> >
> > Johnny, could you let us know your reasons for wanting to point to the
> > remote GPG key?
>
> I would think if you could compromise the mirror dns list, you could have
> malicious rpm's signed by a malicious key, and have thousands of systems
> get rooted.

I'm not sure what you're saying, but if the above happened. Then my 
unaffected /etc/pki key would refuse your maliciously signed rpms.

And if my /etc/pki was bad then that was because my install was bad and I'm 
f**ked anyway.

/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.centos.org/pipermail/centos-devel/attachments/20080225/7ee1f393/attachment.bin


More information about the CentOS-devel mailing list