on 2/25/2008 10:40 AM Jeff Sheltren spake the following: > On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote: > >> Jeff Sheltren wrote: >>> Hi, as a follow up to a conversation in #centos-devel, I'd like to >>> get input from the list on this issue. >>> The question is where to point people, and tools like yum, for the >>> centos gpg key used to verify rpm signatures. My opinion is that >>> pointing to the key in /etc/pki/ which gets installed by the >>> centos-release makes the most sense. This is already installed >>> locally on any centos (-5) machine. See ie. >>> http://bugs.centos.org/view.php?id=2419 >>> From a security standpoint, there are issues with either choice. >>> However, if your install media has been compromised, then there would >>> be many other ways to bypass the gpg checks rather than just changing >>> the gpg key from the centos-release package. Pointing to a URL for >>> the gpg key opens up more security issues such as dns poisoning. >>> -Jeff >> >> I think that for the CentOS-Media.repo file that using the /etc/pki >> directory makes sense. >> >> I STILL think pointing to the http://mirror.centos.org/ site is best >> for the web enabled CentOS-Base.repo file. > > Johnny, could you let us know your reasons for wanting to point to the > remote GPG key? > I would think if you could compromise the mirror dns list, you could have malicious rpm's signed by a malicious key, and have thousands of systems get rooted. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/ecd5da4a/attachment-0007.sig>