On Monday 25 February 2008, Jeff Sheltren wrote: > Hi, as a follow up to a conversation in #centos-devel, I'd like to get > input from the list on this issue. > > The question is where to point people, and tools like yum, for the > centos gpg key used to verify rpm signatures. My opinion is that > pointing to the key in /etc/pki/ which gets installed by the centos- > release makes the most sense. This is already installed locally on > any centos (-5) machine. See ie. http://bugs.centos.org/view.php?id=2419 I agree with using /etc/pki. The most important thing to change are the gpgkey= lines in our .repo files. > From a security standpoint, there are issues with either choice. Something like this: current way (www.centos.org) trusts: local machine, dns, centos.org /etc/pki trusts: local machine /Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/4d6135c8/attachment-0007.sig>