[Yum-devel] gpg key importing
Jeremy Katz
katzj at redhat.com
Mon Aug 30 03:42:52 UTC 2004
On Sat, 2004-08-28 at 19:33 -0400, seth vidal wrote:
> I had a thought about gpg key importing.
>
> For vendors and folks packaging yum up, I thought about adding a file
> in /etc/ of yum-keys.conf
>
> just a configparser file that stores keys
[snip]
> arguably you could run yum and if we find we need a key, we look it up,
> and if it's in the conf file, then import it.
>
> or, alternatively.
>
> make the keyid an option for the repo stanza
[snip]
> now that doesn't really help if multiple keys are needed for a single
> repo but...
>
> Thoughts?
The problem with all of these is that any "get the key from this URL"
thing is how can you trust that URL? If you don't trust where you're
downloading packages from, why can you trust a website where you pull a
key from in an automated fashion any more?
Jeremy
More information about the Yum-devel
mailing list