Re: [CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

2008/2/25 Peter Kjellstrom cap@nsc.liu.se:

We have to assume that the install the user has is intact and uncompromised. Why? Well, if it has been compromised in any way then not only could it contain a malicious /etc/pki, it could of course have different gpgkey= lines in the .repo files...

Or a modified yum or RPM that only appears to do verification. I agree that we should at the very least suppose that the user verifies the installation media.

As for DNS poisoning or hacking, that misery can potentially happen to everyone, and a good manner to guard against this is relying on the pre-installed key from media that was proven to be correct. So, I think this should be the default behavior.

Take care, Daniel