On Monday 25 February 2008, Jeff Sheltren wrote:
Hi, as a follow up to a conversation in #centos-devel, I'd like to get input from the list on this issue.
The question is where to point people, and tools like yum, for the centos gpg key used to verify rpm signatures. My opinion is that pointing to the key in /etc/pki/ which gets installed by the centos- release makes the most sense. This is already installed locally on any centos (-5) machine. See ie. http://bugs.centos.org/view.php?id=2419
I agree with using /etc/pki. The most important thing to change are the gpgkey= lines in our .repo files.
From a security standpoint, there are issues with either choice.
Something like this: current way (www.centos.org) trusts: local machine, dns, centos.org /etc/pki trusts: local machine
/Peter