[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Jul 14 11:22:25 UTC 2008
Peter Kjellstrom <cap at nsc.liu.se>

On Saturday 10 May 2008, Akemi Yagi wrote:
> 2008/2/25 Peter Kjellstrom <cap at nsc.liu.se>:
> > On Monday 25 February 2008, Johnny Hughes wrote:
> >> Jeff Sheltren wrote:
> >
> > ...
> >
> >> > Johnny, could you let us know your reasons for wanting to point to the
> >> > remote GPG key?
> >>
> >> We DON'T allow downloads of ISOs from centos.org servers due to
> >> bandwidth considerations.  It would be fairly easy to put out an ISO
> >> that had different RPMS and a different key.
> >>
> >> Granted, people CAN check the md5 and sha1 sum of the ISOs if they
> >> choose.
> >>
> >> Since we do control the content of every mirror.centos.org server, we
> >> know that the key file is correct.  In order to make that key AND the
> >> RPMS be bad, they need a doctored CD *AND* they need to hijack our
> >> content by DNS poisoning or getting control of our servers.
> >>
> >> I just think if you are using the internet anyway, why not also get the
> >> key from a known location.
> >
> > I agree that there's something intuitively right about that, but,
> > unfortunately it's wrong :-)
> >
> > Here's why.
> >
> > We have to assume that the install the user has is intact and
> > uncompromised. Why? Well, if it has been compromised in any way then not
> > only could it contain a malicious /etc/pki, it could of course have
> > different gpgkey= lines in the .repo files...
> >
> > It will have to be up to the user to make sure (with our help, signed
> > .isos, installers that check rpm signatures and stage2 signature) that
> > he/she has an ok system. If they fail then they don't really run centos,
> > they run haxx0r os and any attempt to validate anything inside that will
> > fail.
> >
> > /Peter
>
> This discussion has been dormant for a while...  With 5.2 just around
> the corner, isn't it a good idea to wrap this up and reach some sort
> of a conclusion?
>
> Akemi

I would have liked to wake this thread in time for 5.2 but unfortunately I 
havn't had any time for centos lately. :-(

It was my interpretation that the discussion ended somewhat in favour 
of /etc/pki but either that was just my wishful thinking or it got 
forgotten/delayed/droped because it didn't make it into centos-release for 
5.2.

What are the concerns people still have regarding this? (switching gpgkey= 
from http://centos.org... to /etc/pki/...)

/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080714/93c74824/attachment-0006.sig>