[CentOS] yum/RPM and Trust on First Use

Sun Dec 20 21:28:27 UTC 2015
Always Learning <centos at u64.u22.net>

On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:

> RPM has ability to install a package over the network.
> rpm -i ftp://example.org/foo-2.2.noarch.rpm

Thanks for the new knowledge.

> The point I'm trying to make though is that yum could benefit from
> the ability to verify the fingerprint in a key it is importing
> matches a DNS query for the user and domain the key claims to be for.
> Regardless of how the package was retrieved, this could prevent 
> dishonest trojan keys from being imported, especially if DNSSEC 
> validated the DNS query.

How widespread is the problem of unknowingly importing compromised
software ?


England, EU.      England's place is in the European Union.