On Tue, 27 Apr 2004, Lance Davis wrote:
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Two schools of thought there -- When doing a local RO media install, one assumedly trusts the media to not have been tampered with, and it should be added [the use of the media is a manual act of trust]; when doing a wire install, unless there is an prior affirmative act on the chain of trust [manual installation of the key from a trusted source], it is probably reasonable to not do (rpm as a matter of strict policy runs without user intervention).
Once an initial trusted key is installed, supplemental keys may be managed under the rpm packaging mechanism (an approach with %pre/%post script management comes to mind). This is because the later keying packages would be oversigned with a key properly on the keychain. Expirations and revocations can then also be handled more cleanly. (This is the relaxed school)
Othres feel: By rights, really, rpm should not receive an import of a key without a mechanism for preventing a hostile insertion -- such as a passphrase -- but the counter argument is that as only 'root' has RW access on the relevant file, if the attacker already has root rights, they could sniff the needed passphrase to do so.
The contrary school is the GPG passphrase school, which adds the supplemental protection anyway. (This is the tin foil hat school.)
-- Russ Herrold