[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Sat May 10 01:34:19 UTC 2008
Akemi Yagi <amyagi at gmail.com>

2008/2/25 Peter Kjellstrom <cap at nsc.liu.se>:
> On Monday 25 February 2008, Johnny Hughes wrote:
>> Jeff Sheltren wrote:
> ...
>> > Johnny, could you let us know your reasons for wanting to point to the
>> > remote GPG key?
>> We DON'T allow downloads of ISOs from centos.org servers due to
>> bandwidth considerations.  It would be fairly easy to put out an ISO
>> that had different RPMS and a different key.
>> Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose.
>> Since we do control the content of every mirror.centos.org server, we
>> know that the key file is correct.  In order to make that key AND the
>> RPMS be bad, they need a doctored CD *AND* they need to hijack our
>> content by DNS poisoning or getting control of our servers.
>> I just think if you are using the internet anyway, why not also get the
>> key from a known location.
> I agree that there's something intuitively right about that, but,
> unfortunately it's wrong :-)
> Here's why.
> We have to assume that the install the user has is intact and uncompromised.
> Why? Well, if it has been compromised in any way then not only could it
> contain a malicious /etc/pki, it could of course have different gpgkey= lines
> in the .repo files...
> It will have to be up to the user to make sure (with our help, signed .isos,
> installers that check rpm signatures and stage2 signature) that he/she has an
> ok system. If they fail then they don't really run centos, they run haxx0r os
> and any attempt to validate anything inside that will fail.
> /Peter

This discussion has been dormant for a while...  With 5.2 just around
the corner, isn't it a good idea to wrap this up and reach some sort
of a conclusion?