[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 18:40:40 UTC 2008
Jeff Sheltren <jeff at osuosl.org>

On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:

> Jeff Sheltren wrote:
>> Hi, as a follow up to a conversation in #centos-devel, I'd like to  
>> get input from the list on this issue.
>> The question is where to point people, and tools like yum, for the  
>> centos gpg key used to verify rpm signatures.  My opinion is that  
>> pointing to the key in /etc/pki/ which gets installed by the centos- 
>> release makes the most sense.  This is already installed locally on  
>> any centos (-5) machine.  See ie. http://bugs.centos.org/view.php?id=2419
>> From a security standpoint, there are issues with either choice.   
>> However, if your install media has been compromised, then there  
>> would be many other ways to bypass the gpg checks rather than just  
>> changing the gpg key from the centos-release package.  Pointing to  
>> a URL for the gpg key opens up more security issues such as dns  
>> poisoning.
>> -Jeff
>
> I think that for the CentOS-Media.repo file that using the /etc/pki  
> directory makes sense.
>
> I STILL think pointing to the http://mirror.centos.org/ site is best  
> for the web enabled CentOS-Base.repo file.

Johnny, could you let us know your reasons for wanting to point to the  
remote GPG key?

Thanks,
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/f2788306/attachment-0007.sig>