[Centos] Re: CentOS GPG key import process

Wed Apr 28 11:37:30 UTC 2004
Lance Davis <lance at uklinux.net>

On Tue, 27 Apr 2004, R P Herrold wrote:

> On Tue, 27 Apr 2004, Lance Davis wrote:
> 
> > I think the key should be installed automatically as part of the install 
> > process - but dont know how / why it isnt ...
> 
> Two schools of thought there -- When doing a local RO media
> install, one assumedly trusts the media to not have been
> tampered with, and it should be added [the use of the media is
> a manual act of trust]; when doing a wire install, unless
> there is an prior affirmative act on the chain of trust
> [manual installation of the key from a trusted source], it is
> probably reasonable to not do (rpm as a matter of strict 
> policy runs without user intervention).

But surely - if the key is not the correct one - ie is a trojan, then the 
packages may also have been signed with the trojanned key anyway - because 
they are being downloaded from the same source .....

The key should really not be sourced from a mirror I guess, only from the 
root repo, or the key md5sum should be checked . ???

Lance
-- 
uklinux.net - The ISP of choice for the discerning Linux user.