On Saturday 10 May 2008, Akemi Yagi wrote: > 2008/2/25 Peter Kjellstrom <cap at nsc.liu.se>: > > On Monday 25 February 2008, Johnny Hughes wrote: > >> Jeff Sheltren wrote: > > > > ... > > > >> > Johnny, could you let us know your reasons for wanting to point to the > >> > remote GPG key? > >> > >> We DON'T allow downloads of ISOs from centos.org servers due to > >> bandwidth considerations. It would be fairly easy to put out an ISO > >> that had different RPMS and a different key. > >> > >> Granted, people CAN check the md5 and sha1 sum of the ISOs if they > >> choose. > >> > >> Since we do control the content of every mirror.centos.org server, we > >> know that the key file is correct. In order to make that key AND the > >> RPMS be bad, they need a doctored CD *AND* they need to hijack our > >> content by DNS poisoning or getting control of our servers. > >> > >> I just think if you are using the internet anyway, why not also get the > >> key from a known location. > > > > I agree that there's something intuitively right about that, but, > > unfortunately it's wrong :-) > > > > Here's why. > > > > We have to assume that the install the user has is intact and > > uncompromised. Why? Well, if it has been compromised in any way then not > > only could it contain a malicious /etc/pki, it could of course have > > different gpgkey= lines in the .repo files... > > > > It will have to be up to the user to make sure (with our help, signed > > .isos, installers that check rpm signatures and stage2 signature) that > > he/she has an ok system. If they fail then they don't really run centos, > > they run haxx0r os and any attempt to validate anything inside that will > > fail. > > > > /Peter > > This discussion has been dormant for a while... With 5.2 just around > the corner, isn't it a good idea to wrap this up and reach some sort > of a conclusion? > > Akemi I would have liked to wake this thread in time for 5.2 but unfortunately I havn't had any time for centos lately. :-( It was my interpretation that the discussion ended somewhat in favour of /etc/pki but either that was just my wishful thinking or it got forgotten/delayed/droped because it didn't make it into centos-release for 5.2. What are the concerns people still have regarding this? (switching gpgkey= from http://centos.org... to /etc/pki/...) /Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080714/93c74824/attachment-0006.sig>