Yum is great, but do you trust them?
Brian Fahrlander
Brian at fahrlander.net
Tue Feb 10 21:45:08 UTC 2004
On Tue, 2004-02-10 at 14:30 -0500, Harry Hoffman wrote:
> It is hoped that the mirrors are only copies! They could be forged, altered, or
> otherwise changed. Trusting a mirror is like trusting a friend's friend without
> actually knowing either friend to start with. Trust is better served with things
> that can't be proved easily (like the universe imploding upon itself tomorrow).
> And that is more along the lines of hope anyway. :-)
> Not to say that mirrors shouldn't be used, just something to think about.
Nah, as usual, the 'gods' among us were looking out for us.
When a mirror is set up, there is a chance that someone sneaked a
modified sendmail rpm, causing it to send spam. Problem is, the
checksum has to be the same as the original one on the main site, then
the checksums wouldn't match...just like if the file were mangled along
the way for some reason.
And during packaging, in order to fake it, he'd have to have the
_private_ key to make this all work out.
So, no- turn on the gpgcheck, get the keys, and enjoy.
--
------------------------------------------------------------------------
Brian Fahrländer Researcher, Conservative, and Technomad
Evansville, IN http://Fahrlander.net
ICQ 5119262
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040210/be02c679/attachment-0002.bin
More information about the users
mailing list