2008/2/25 Peter Kjellstrom <cap at nsc.liu.se>: > On Monday 25 February 2008, Johnny Hughes wrote: >> Jeff Sheltren wrote: > ... >> > Johnny, could you let us know your reasons for wanting to point to the >> > remote GPG key? >> >> We DON'T allow downloads of ISOs from centos.org servers due to >> bandwidth considerations. It would be fairly easy to put out an ISO >> that had different RPMS and a different key. >> >> Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose. >> >> Since we do control the content of every mirror.centos.org server, we >> know that the key file is correct. In order to make that key AND the >> RPMS be bad, they need a doctored CD *AND* they need to hijack our >> content by DNS poisoning or getting control of our servers. >> >> I just think if you are using the internet anyway, why not also get the >> key from a known location. > > I agree that there's something intuitively right about that, but, > unfortunately it's wrong :-) > > Here's why. > > We have to assume that the install the user has is intact and uncompromised. > Why? Well, if it has been compromised in any way then not only could it > contain a malicious /etc/pki, it could of course have different gpgkey= lines > in the .repo files... > > It will have to be up to the user to make sure (with our help, signed .isos, > installers that check rpm signatures and stage2 signature) that he/she has an > ok system. If they fail then they don't really run centos, they run haxx0r os > and any attempt to validate anything inside that will fail. > > /Peter This discussion has been dormant for a while... With 5.2 just around the corner, isn't it a good idea to wrap this up and reach some sort of a conclusion? Akemi