Jeff Sheltren wrote: > Hi, as a follow up to a conversation in #centos-devel, I'd like to get > input from the list on this issue. > > The question is where to point people, and tools like yum, for the > centos gpg key used to verify rpm signatures. My opinion is that > pointing to the key in /etc/pki/ which gets installed by the > centos-release makes the most sense. This is already installed locally > on any centos (-5) machine. See ie. > http://bugs.centos.org/view.php?id=2419 > > From a security standpoint, there are issues with either choice. > However, if your install media has been compromised, then there would be > many other ways to bypass the gpg checks rather than just changing the > gpg key from the centos-release package. Pointing to a URL for the gpg > key opens up more security issues such as dns poisoning. > > -Jeff I think that for the CentOS-Media.repo file that using the /etc/pki directory makes sense. I STILL think pointing to the http://mirror.centos.org/ site is best for the web enabled CentOS-Base.repo file. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/ff313ef4/attachment-0007.sig>