Secrecy and user trust

[Mike McCarty]

jdow wrote:
> 
> Suppose I have NO RedHat installed. I have no working computer near
> me. I want to install Fedora 9. How do I establish the ability to
> subject the packages to tests for being properly signed, that the
> key used in the test is correct, and that I am reading and updating
> from a legitimate mirror?

This is the same issue you have with SSH, or encrypted web pages.
Who certifies the certificators? Diffie and Hellman solved the
key distribution problem, but the only way we know of to know that
you've got the right public key is to perform the initial transfer in
person, and then build a "web of trust" as has been mentioned.

> If this can be done once in an initial install situation it can be done
> again in an update situation using the same mechanism.

One way is to download the stuff from Red Hat's site itself,
and trust that no one has managed to intercept your communications.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!