Yum public keys -

Todd Zullinger tmz at pobox.com
Fri Nov 17 14:43:19 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Goodwin wrote:
> I worked around the problem by installing 
> libid3tag-0.15.1b-3.fc6.rf.i386.rpm and lame from 
> "http://ftp.riken.go.jp/pub/Linux/dries/fedora/fc6/i386/RPMS.dries/" 
> with the repective rpm's.
>
> Yum is easy if it works but installing from rpm's is less complicated 
> when there's a problem such as this.

I'd argue that yum does work well in almost all cases, but it does
require that the repositories that it's pulling from are setup
properly.  Much of this needs to be done by the repo maintainers,
though there is some work that needs to be done by users.  It's
important not to enable repos that aren't designed to play nice
together.  I stick with Core, Extras, and Livna because they are
designed to work together.  Adding Dries, FreshRPMS, or other rpmforge
repos sometimes conflict with things in core, extras, or livna.

The workaround above may have saved you some head scratching, but it
circumvented an important security check.  Yum was complaining because
it could not verify the integrity of the package via its GPG
signature.  Installing manually you skipped that check. How would you
know if that package was trojaned?

Installing packages manually that have problems in yum could also make
it difficult for yum to do its job in the future by introducing
packages that have dependencies outside of the repos that yum knows
about.

The better solution (to me) would be to find out why installing
audacity from extras was trying to pull in a libid3tag package other
than the one available in extras[1].  There is a repo in your
configuration that is not installed correctly/completely.  A properly
configured repo would make its key available so that when you try to
install a package from that repo and need the key installed, it can
prompt you and install that key.

[1] http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/libid3tag-0.15.1b-3.fc6.i386.rpm

- -- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
======================================================================
When buying and selling are controlled by legislation, the first
things to be bought and sold are legislators.
    -- P.J. O'Rourke, Parliament of Whores

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJFXcqHJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjxWEIAJCM+9QcPDbYgN1LLJri8m/27Fj7EbDI7xWI
T3kO7bzL87nRGrUGt8/8TrqXq1jlhpf2zigVzIydzod2Bv72JMmb9TUbjLflPXeA
AFf1RxobP121IuyaltlPeatXs5gFz0AeiEm/3t9aMpzGygU9/BQl5fVepLtthrHR
2ZFQ1zD1iktuKkNfw1ANUVJELzaEkUomDPFnrwjAjxSMQqG6EXYbofux1gOh4rGW
EhVg8ILy3RxqDusERzoQziXIHM/elBPjU9irDjw0nZtK/tMtpY12Q3qkE+iBnMpl
9KS7+Bovu7ah/r7vodwo77R3W/5J+dh5N5mMDDbfIGXGjixwbdc=
=4P2s
-----END PGP SIGNATURE-----

More information about the users mailing list