Proposed F19 Feature: Package Signature Checking During Installation
Tomas Mraz
tmraz at redhat.com
Fri Jan 11 17:39:53 UTC 2013
On Thu, 2013-01-10 at 21:49 +0100, Nicolas Mailhot wrote:
> Le Jeu 10 janvier 2013 20:41, Adam Jackson a écrit :
>
> > For the same reason Firefox doesn't automatically accept self-signed SSL
> > certs, and the same reason that ssh doesn't automatically accept new
> > host keys: it'd be creating trust from thin air.
>
> Checking packages are signed by the same key as the installer when yum
> happily trawls half the internet to find mirrors managed by god knows who
> is not thin air security. Right now the only thing that could make our
> installation process more laughably insecure is lapping an 'own me' label
> on one of anaconda's install screens.
>
> Sure checking signature would not be perfect security, but your argument
> is akin to removing airbags from cars that do not have an abs to 'avoid
> creating a false sense of security'
+1, definitely
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the devel
mailing list