[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Sat May 10 14:35:54 UTC 2008
Daniel de Kok <me at danieldk.org>

2008/2/25 Peter Kjellstrom <cap at nsc.liu.se>:
> We have to assume that the install the user has is intact and uncompromised.
> Why? Well, if it has been compromised in any way then not only could it
> contain a malicious /etc/pki, it could of course have different gpgkey= lines
> in the .repo files...

Or a modified yum or RPM that only appears to do verification. I agree
that we should at the very least suppose that the user verifies the
installation media.

As for DNS poisoning or hacking, that misery can potentially happen to
everyone, and a good manner to guard against this is relying on the
pre-installed key from media that was proven to be correct. So, I
think this should be the default behavior.

Take care,