[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 18:34:32 UTC 2008
Johnny Hughes <johnny at centos.org>

Jeff Sheltren wrote:
> Hi, as a follow up to a conversation in #centos-devel, I'd like to get 
> input from the list on this issue.
> The question is where to point people, and tools like yum, for the 
> centos gpg key used to verify rpm signatures.  My opinion is that 
> pointing to the key in /etc/pki/ which gets installed by the 
> centos-release makes the most sense.  This is already installed locally 
> on any centos (-5) machine.  See ie. 
> http://bugs.centos.org/view.php?id=2419
>  From a security standpoint, there are issues with either choice.  
> However, if your install media has been compromised, then there would be 
> many other ways to bypass the gpg checks rather than just changing the 
> gpg key from the centos-release package.  Pointing to a URL for the gpg 
> key opens up more security issues such as dns poisoning.
> -Jeff

I think that for the CentOS-Media.repo file that using the /etc/pki 
directory makes sense.

I STILL think pointing to the http://mirror.centos.org/ site is best for 
the web enabled CentOS-Base.repo file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/ff313ef4/attachment-0005.sig>