Yum and SRPMS
James Wilkinson
james at westexe.demon.co.uk
Mon Nov 22 22:18:00 UTC 2004
Colin Paul Adams wrote:
> Now after being prompted to import GPG keys, and doing so (why doesn't
> it do it, if it knows what needs doing?), I end up with a 404 HTTP
> error when trying to fetch the rpm.
There's a chicken and egg situation here.
How do you know a download hasn't been tampered with? You check it with
GPG.
How do you get the GPG key? You download it from the Red Hat website.
But how do you check that the GPG key itself is good? See figure 1?
It Would Be Possible for a suitably motivated attacker to create an
"invisible mirror" between you and your Fedora mirror (or between Red
Hat and the mirror). It would replace the Red Hat GPG key, and the
signed packages with ones the attacker provided.
Theoretically, you need a trusted communication path between the Fedora
project and you, to ensure that the key you import has not been changed.
And you can't get that over the Internet unless you have had previous
dealings with Fedora.
So it is left up to you to decide how much trust you want to place in
the communications path while downloading the key. Most people will, for
that once, trust it. A few will check elsewhere.
James.
--
E-mail address: james | Anonymous: What do you think of Stainer's
@westexe.demon.co.uk | "Crucifixion"?
| Sir Thomas Beecham: Good idea!
More information about the users
mailing list