On Tue, 27 Apr 2004, R P Herrold wrote: > On Tue, 27 Apr 2004, Lance Davis wrote: > > > I think the key should be installed automatically as part of the install > > process - but dont know how / why it isnt ... > > Two schools of thought there -- When doing a local RO media > install, one assumedly trusts the media to not have been > tampered with, and it should be added [the use of the media is > a manual act of trust]; when doing a wire install, unless > there is an prior affirmative act on the chain of trust > [manual installation of the key from a trusted source], it is > probably reasonable to not do (rpm as a matter of strict > policy runs without user intervention). But surely - if the key is not the correct one - ie is a trojan, then the packages may also have been signed with the trojanned key anyway - because they are being downloaded from the same source ..... The key should really not be sourced from a mirror I guess, only from the root repo, or the key md5sum should be checked . ??? Lance -- uklinux.net - The ISP of choice for the discerning Linux user.