Trusting repositories (was: Re: Announcing rpmfusion)
Sertaç Ö. Yıldız
sertac.liste at gmail.com
Sun Sep 16 05:51:04 UTC 2007
[13.Eyl.07 01:36 +0300] Sertaç Ö. Yıldız:
> [12.Eyl.07 15:43 -0400] seth vidal:
>> On Wed, 2007-09-12 at 21:42 +0200, Nicolas Mailhot wrote:
>>> I hope yum has a check somewhere to forbid installation of unknown
>>> default-on repositories.
>> how on earth would yum know? Do you want yum to have special behavior if it
>> detects a .repo file?
> Not for .repo files, but it would be nice to check for GPG keys it installs.
On a second thought, I realized that yum cannot do anything about trust
at the moment. And my mindset about trust here (based on public keys
being installed or not) was completely flawed. I’ve seen a package
executing “rpm --import” from postinstall scriptlet and maybe it’s
possible even from preinstall.
If I cannot express my distrust on a repository (or specifically
a public key) I cannot express my trust either. And probably this must
be solved at the rpm level.
Rpm apparently has some (undocumented) code about this:
| $ rpm --trust
| --trust: missing argument
But IIUC at the moment it handles the situation similar to what I’d
thought: NOTTRUSTED is similar to NOKEY.
As it is, GPG signature verification reduces to a mere integrity check
if one wants to use external repositories.
More information about the fedora-devel-list