PackageKit Misconceptions

[Jeff Spaleta]

On 8/22/07, David Zeuthen <davidz at redhat.com> wrote:
> Assume that Alice gets Fedora from Mallory's mirror. What prevents
> Mallory from patching the rpm and yum programs that end up on Alice's
> system to avoid honoring the keys that we, painfully, make her import?

would signing our mirror metadata help?
would importing the provided keys at install time help?
(We have to assume the install media is trusted)

-jef