[Centos] Re: CentOS GPG key import process

Wed Apr 28 22:43:39 UTC 2004
R P Herrold <herrold at owlriver.com>

On Wed, 28 Apr 2004, Lance Davis wrote:

> But surely - if the key is not the correct one - ie is a trojan, then the 
> packages may also have been signed with the trojanned key anyway - because 
> they are being downloaded from the same source .....
> The key should really not be sourced from a mirror I guess, only from the 
> root repo, or the key md5sum should be checked . ???

well, yes -- I did not want to publicly point out that if the 
mirror is compromise, we are toast anyway with the present 

I have been thinking about trust and how to get more of it in 
you keying.  My post was in part to talk through the issue, to 
see if something obvious to solve the problem would appear -- 
ultimately, there has to be at least one manual operation, or 
a publicly countersigned (as by a external CA) to get past the 

-- Russ