Proposed F19 Feature: Package Signature Checking During Installation
Nicolas Mailhot
nicolas.mailhot at laposte.net
Thu Jan 10 20:49:55 UTC 2013
Le Jeu 10 janvier 2013 20:41, Adam Jackson a écrit :
> For the same reason Firefox doesn't automatically accept self-signed SSL
> certs, and the same reason that ssh doesn't automatically accept new
> host keys: it'd be creating trust from thin air.
Checking packages are signed by the same key as the installer when yum
happily trawls half the internet to find mirrors managed by god knows who
is not thin air security. Right now the only thing that could make our
installation process more laughably insecure is lapping an 'own me' label
on one of anaconda's install screens.
Sure checking signature would not be perfect security, but your argument
is akin to removing airbags from cars that do not have an abs to 'avoid
creating a false sense of security'
--
Nicolas Mailhot
More information about the devel
mailing list