On 12/20/2015 01:28 PM, Always Learning wrote: > > On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote: > > >> RPM has ability to install a package over the network. >> >> rpm -i ftp://example.org/foo-2.2.noarch.rpm > > > Thanks for the new knowledge. > >> The point I'm trying to make though is that yum could benefit from >> the ability to verify the fingerprint in a key it is importing >> matches a DNS query for the user and domain the key claims to be for. >> >> Regardless of how the package was retrieved, this could prevent >> dishonest trojan keys from being imported, especially if DNSSEC >> validated the DNS query. > > How widespread is the problem of unknowingly importing compromised > software ? > -- For me, I prefer to be pro-active rather than reactive. DNSSEC gives us a some validation options we did not formerly have, I like to use it where it takes away potential vectors whether they currently are popular attack vectors or not.