Trusting repositories (was: Re: Announcing rpmfusion)

Sertaç Ö. Yıldız sertac.liste at
Sun Sep 16 05:51:04 UTC 2007

[13.Eyl.07 01:36 +0300] Sertaç Ö. Yıldız:
> [12.Eyl.07 15:43 -0400] seth vidal:
>> On Wed, 2007-09-12 at 21:42 +0200, Nicolas Mailhot wrote:
>>> I hope yum has a check somewhere to forbid installation of unknown 
>>> default-on repositories.
>> how on earth would yum know? Do you want yum to have special behavior if it 
>> detects a .repo file?
> Not for .repo files, but it would be nice to check for GPG keys it installs.

On a second thought, I realized that yum cannot do anything about trust 
at the moment. And my mindset about trust here (based on public keys 
being installed or not) was completely flawed. I’ve seen a package 
executing “rpm --import” from postinstall scriptlet and maybe it’s 
possible even from preinstall.

If I cannot express my distrust on a repository (or specifically 
a public key) I cannot express my trust either. And probably this must 
be solved at the rpm level.

Rpm apparently has some (undocumented) code about this:
| $ rpm --trust
| --trust: missing argument

But IIUC at the moment it handles the situation similar to what I’d 
thought: NOTTRUSTED is similar to NOKEY.

As it is, GPG signature verification reduces to a mere integrity check 
if one wants to use external repositories.


More information about the fedora-devel-list mailing list