on 2/25/2008 10:40 AM Jeff Sheltren spake the following:
> On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:
>
>> Jeff Sheltren wrote:
>>> Hi, as a follow up to a conversation in
#centos-devel, I'd like to
>>> get input from the list on this issue.
>>> The question is where to point people, and
tools like yum, for the
>>> centos gpg key used to verify rpm signatures.
My opinion is that
>>> pointing to the key in /etc/pki/ which gets
installed by the
>>> centos-release makes the most sense. This is
already installed
>>> locally on any centos (-5) machine. See ie.
>>> http://bugs.c
entos.org/view.php?id=2419
>>> From a security standpoint, there are issues
with either choice.
>>> However, if your install media has been
compromised, then there would
>>> be many other ways to bypass the gpg checks
rather than just changing
>>> the gpg key from the centos-release package.
Pointing to a URL for
>>> the gpg key opens up more security issues such
as dns poisoning.
>>> -Jeff
>>
>> I think that for the CentOS-Media.repo file that
using the /etc/pki
>> directory makes sense.
>>
>> I STILL think pointing to the http://mirror.centos.org/ site is best
>> for the web enabled CentOS-Base.repo file.
>
> Johnny, could you let us know your reasons for wanting
to point to the
> remote GPG key?
>
I would think if you could compromise the mirror dns list,
you could have
malicious rpm's signed by a malicious key, and have
thousands of systems get
rooted.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
_______________________________________________
CentOS-devel mailing list
CentOS-devel centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
|
