PackageKit Misconceptions

[Jesse Keating]

On Wed, 22 Aug 2007 17:46:47 +0100
"Richard Hughes" <hughsient at gmail.com> wrote:

> Also, my view is that questions should never be asked. Who has ever
> clicked no to "Load GPG key from Fedora Project"? Is there a legal
> requirement to show such a warning?
> 
> So, I hope that has cleared things up a bit. Comments and suggestions
> welcome.

There aren't requirements, however given that our software is mirrored
around the world and our tools are made easy to make your own Fedora,
it's possible that somebody could start handing out spoofed Fedoras.
If the key you're asking to import says it's Fedora, but the public key
servers don't match this key, that's a very quick indication that you
should stop using the system as it's been compromised in some way.

Also it's easy enough to install some piece of software off the net
that drops a yum repo file in place and starts handing you packages
from another repo.  You should get the opportunity to confirm your
trust in this repo before it starts replacing all kinds of packages in
your system..
(now said packages that drop a repo file could just easily set
gpgcheck=no and bypass all the trust issues, but that's neither here
nor there)

I will happily admit that our dialogs don't say any of this and just
assume that the user "gets" all this automatically.

-- 
Jesse Keating
Fedora -- All my bits are free, are yours?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-desktop-list/attachments/20070822/8d1aaa18/attachment.sig>