2009/11/18 Jeff Garzik <jgarzik(a)pobox.com>:
How little social engineering + virus automation does it take to get
such an
install to include a malicious 3rd party repo?
You need the root password to install from repos not signed by a key
previously imported, or if the package signature is wrong.
Richard.