rpm --import
Ralf Ertzinger
fedora-devel at camperquake.de
Fri Jan 7 13:17:22 UTC 2005
Hi.
Jay Turner <jkt at redhat.com> wrote:
> There's a hierarchy there. Step 1 is validating that the signing key
> you have indeed came from the source you think it did (in this case Red
> Hat.) Once you establish that it's a known entity, then all of the
> packages on the Red Hat media (be it RHEL or Fedora) are signed with
> that key, so at that point you know that all of the packages originated
> from Red Hat as well (or the Fedora project in the case of Fedora.) So
> you don't "have to trust the media [you] install from anyway" as the
> that content can be verified just as the key itself can.
OK, I think there is a slight misunderstanding. I did not mean to say that
I will swallow everything that says "Fedora Core 3 DVD" (or whatever) on
it and treat it as genuine. I can download it from anywhere, and check the
published checksums (which are signed) against my image. Leaving discussions
about hashing algorithms aside, I have thus established that my media is good.
So is the key, which is included on the media.
So we have two cases:
1) People who check that the media is genuine (signed checksums), and thus
trust the media, and trust the keys on it, so the keys can be imported
by the installer.
2) People who do not check the media (or have it checked by their admin or
another knowledgeable person), and can so be persuaded to install almost
anything. If the media is compromised, all bets are off, anyway. If the media
is genuine nonetheless, they get the keys they need to trust the automatic
updates (which is a good thing, in my book).
Maybe I am missing something here.
PS: the above just holds for media based installations.
--
"Wie? Man kann einen Computer auch ausschalten ?"
Kasuga in AnimeGer
More information about the fedora-devel-list
mailing list