On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote: > Jeff Sheltren wrote: >> Hi, as a follow up to a conversation in #centos-devel, I'd like to >> get input from the list on this issue. >> The question is where to point people, and tools like yum, for the >> centos gpg key used to verify rpm signatures. My opinion is that >> pointing to the key in /etc/pki/ which gets installed by the centos- >> release makes the most sense. This is already installed locally on >> any centos (-5) machine. See ie. http://bugs.centos.org/view.php?id=2419 >> From a security standpoint, there are issues with either choice. >> However, if your install media has been compromised, then there >> would be many other ways to bypass the gpg checks rather than just >> changing the gpg key from the centos-release package. Pointing to >> a URL for the gpg key opens up more security issues such as dns >> poisoning. >> -Jeff > > I think that for the CentOS-Media.repo file that using the /etc/pki > directory makes sense. > > I STILL think pointing to the http://mirror.centos.org/ site is best > for the web enabled CentOS-Base.repo file. Johnny, could you let us know your reasons for wanting to point to the remote GPG key? Thanks, Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/f2788306/attachment-0007.sig>