[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 17:45:17 UTC 2008
Jeff Sheltren <jeff at osuosl.org>

Hi, as a follow up to a conversation in #centos-devel, I'd like to get  
input from the list on this issue.

The question is where to point people, and tools like yum, for the  
centos gpg key used to verify rpm signatures.  My opinion is that  
pointing to the key in /etc/pki/ which gets installed by the centos- 
release makes the most sense.  This is already installed locally on  
any centos (-5) machine.  See ie. http://bugs.centos.org/view.php?id=2419

 From a security standpoint, there are issues with either choice.   
However, if your install media has been compromised, then there would  
be many other ways to bypass the gpg checks rather than just changing  
the gpg key from the centos-release package.  Pointing to a URL for  
the gpg key opens up more security issues such as dns poisoning.

-Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/99aa8dea/attachment-0006.sig>