web site updates

Fri Jan 30 18:26:01 UTC 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Dalbec wrote:
> One alternative would be to import the keys in the postinst.
> FreshRPMs' yum RPM does this.

While that's certainly convenient, I really don't like packages that
mess with my gpg keyring.

If yum were going to automatically install these keys, I think it
should do so to an alternate keyring, like up2date did.  I don't know
the most FHS compliant place to locate this, /etc/yum/keyring.gpg or
/var/lib/yum/keyring.gpg perhaps.  Then, gpgkeyring would have to be
set in /etc/yum.conf.

At the same time, that makes it likely that users who've already
imported the Red Hat GPG key to their root keyring will get confused
if they just issue a gpg --fingerprint when trying to verify the
Fedora Legacy key.

I'm partial to making users explicitly import the keys.  That might
increase the chances that they'll verify the fingerprints before
trusting them.  But that's just my personal bias.

Apologies if this has already all been debated and decided before.  If
it has, anyone got a pointer to a thread or policy doc on this sort of
thing?

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
If Stupidity got us into this mess, then why can't it get us out?
    -- Will Rogers (1879-1935)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAGqG4uv+09NZUB1oRArzGAKChuUEK4hD09FiYGCk9N0uPdXoq8QCgiunC
O4fJQuUZsft7witwuDzgPcE=
=OYFl
-----END PGP SIGNATURE-----