[Yum] Security of yum rpms

seth vidal skvidal at phy.duke.edu
Wed Oct 29 22:45:52 UTC 2003



> Alternatively, rpm signing could be enabled instead:
> * run "gpg --install /usr/share/rhn/RPM-GPG-KEY"

no - for yum 2.0.X and therefore rpm 4.1.1 or greater you want to run:
rpm --import /usr/share/rhn/RPM-GPG-KEY

> * have the yum.conf file always set gpgcheck=1
> This would at least ensure that if a cracker installed a trojan in the
> duke yum repository, it would be rejected due to invalid signature.

This was discussed sometime ago on the list and the reason for not
setting gpgcheck=1 is fairly simple, most users have no concept of what
the gpg checking does. It would just make it next to impossible for
users to use the tool.

I set it on my systems that I manage, but in general most users' don't
use it.

I think if red hat, for example, wanted to gpgcheck=1 on all of the
repositories for the package of yum that is being provided in fedora
core, then that would be great. But I think making it the default for
program might cause other nightmares, especially considering that if
gpgcheck=1 then an unsigned package == bad signature.

but other people's thoughts are welcome here and default configs are
easily modified in the package someone provides.

-sv





More information about the Yum mailing list