On Monday 25 February 2008, Scott Silva wrote:
on 2/25/2008 10:40 AM Jeff Sheltren spake the following:
On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:
...
I STILL think pointing to the http://mirror.centos.org/ site is best for the web enabled CentOS-Base.repo file.
Johnny, could you let us know your reasons for wanting to point to the remote GPG key?
I would think if you could compromise the mirror dns list, you could have malicious rpm's signed by a malicious key, and have thousands of systems get rooted.
I'm not sure what you're saying, but if the above happened. Then my unaffected /etc/pki key would refuse your maliciously signed rpms.
And if my /etc/pki was bad then that was because my install was bad and I'm f**ked anyway.
/Peter