missing keys on yum update -- evolution-data-server
Paul Howarth
paul at city-fan.org
Mon Jun 12 12:28:49 UTC 2006
Tim wrote:
> On Mon, 2006-06-12 at 12:31 +0100, Paul Howarth wrote:
>> Yum, or rather rpm, has no pre-imported keys at all. Every one of them
>> is installed as a resutt of some post-installation action, such as
>> running a "yum update". The keys are supplied out-of-the-box in the
>> fedora-release package, but they're not pre-imported into the rpm
>> database.
>
> That would seem to be a bit of a security problem. You're trusting the
> first key you get to be true, with nothing to verify against but itself.
It needn't be. The key file itself is part of an RPM package
(fedora-release), and that package is itself signed. The installer
(anaconda) could check the GPG signature of the package when installing
it (I don't know whether it does or not though).
Paul.
More information about the fedora-list
mailing list