On Tue, 27 Apr 2004, R P Herrold wrote:
On Tue, 27 Apr 2004, Lance Davis wrote:
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Two schools of thought there -- When doing a local RO media install, one assumedly trusts the media to not have been tampered with, and it should be added [the use of the media is a manual act of trust]; when doing a wire install, unless there is an prior affirmative act on the chain of trust [manual installation of the key from a trusted source], it is probably reasonable to not do (rpm as a matter of strict policy runs without user intervention).
But surely - if the key is not the correct one - ie is a trojan, then the packages may also have been signed with the trojanned key anyway - because they are being downloaded from the same source .....
The key should really not be sourced from a mirror I guess, only from the root repo, or the key md5sum should be checked . ???
Lance