On Feb 20, 2011, at 4:12 PM, Stephen John Smoogen wrote: > On Sun, Feb 20, 2011 at 13:11, Jeff Johnson <n3npq at mac.com> wrote: >> > >>> 3) experienced sysadmin diagnoses issue to the rpm level >> >> Whoa: leave rpm out of this risk analysis please. Its not >> rpm, but rather yum, that routinely disables signature checking. >> > > s/yum/people using yum/ > > if you don't mind :). > I don't mind at all because I'm not tied to an EKG in an ICU using RHEL with yum. But I can show you the line of code -- that can only be changed by developers, not "people" in the usual sense of the word -- hardwired in yum code. OTOH, there's many threat/security models, and noone really knows which model SHOULD apply to *.rpm. Lord knows that RPM is the only major software installer in the world where applications like yum routinely choose to disable signature/digest checking for performance and the rather useless Do you "trust" this pubkey(yN)? EULA-like dialog that reassures users but is only as secure as well as "trust" is defined. Smells like a BackOrifice to me and heck its spelled P-U-B-L-I-C K-E-Y (We now return you to the previous thread of CentOS bashing, sorry for the interruption). 73 de jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4645 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110220/f2648c90/attachment-0007.p7s>