On Monday 25 February 2008, Scott Silva wrote: > on 2/25/2008 10:40 AM Jeff Sheltren spake the following: > > On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote: ... > >> I STILL think pointing to the http://mirror.centos.org/ site is best > >> for the web enabled CentOS-Base.repo file. > > > > Johnny, could you let us know your reasons for wanting to point to the > > remote GPG key? > > I would think if you could compromise the mirror dns list, you could have > malicious rpm's signed by a malicious key, and have thousands of systems > get rooted. I'm not sure what you're saying, but if the above happened. Then my unaffected /etc/pki key would refuse your maliciously signed rpms. And if my /etc/pki was bad then that was because my install was bad and I'm f**ked anyway. /Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/7ee1f393/attachment-0007.sig>