Discussion of content, security Re: FC3 yum instructions

[Nils Breunese (Lemonbit Internet)]

David Eisenstein wrote:

> STEP 2 AND STEP 1.4
>
> I am wondering ... it seems to me that we included code in the RPM
> "legacy-yumconf-3-4.fc3.noarch.rpm" that includes and automatically
> installs the Fedora Legacy GPG key when this RPM package is installed.
> Can someone confirm or deny that?  If so, then "Step 2: Configure  
> yum for
> Fedora Legacy" already takes care of the work that Step 1.4 asks  
> the user
> to do.
>
> HOWEVER, as the legacy-yumconf RPM file itself is signed by the Fedora
> Legacy key, the "rpm -Uvh" step in step 2 would be downloading and
> installing the legacy-yumconf package without the benefit of the  
> Legacy
> GPG key to check to make sure it is not tampered with.  So it seems  
> to me
> that Step 1.4 isn't necessarily a duplication of effort, as it  
> verifies
> that the legacy-yumconf package installed in Step 2 is signed with the
> key installed in Step 1.4.
>
> It seems a little more secure to go ahead and let users *do* step  
> 1.4, and
> if they're lazy and don't want to do it, it gets done for them anyway.
>
> SO, is my interpretation correct?  Do we need to ask the user still  
> to do
> Step 1.4 if Step 2 takes care of it?  Considering the warning the  
> user may
> get in Step 2 if Legacy's key isn't already installed --
>    ("warning: legacy-yumconf-3-4.fc3.noarch.rpm: V3 DSA signature:  
> NOKEY,
>    key ID 731002fa")
>
> -- would that be confusing enough to warrant keeping Step 1.4 there  
> and
> asking the user to do it?  If we removed Step 1.4, would we  
> introduce some
> kind of risk to the user -- say, if a Fedora Legacy downloading  
> site or
> mirror were to be compromised by some attacker, who might put in  
> his/her
> own legacy-yumconf package and install a gpg key of his/her choice?

Would it be possible to get legacy-yumconf signed with the regulat  
(non-legacy) FC3 key?

Nils.