Re: Whom should I put my trust?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2003-11-25 at 15:04, Axel Thimm wrote:
> On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote:
> > On Tue, 2003-11-25 at 05:12, Timothy Ha wrote:
> > > Thank you!
> > > 
> > > I still have some questions (not doubts): With thrilling stories like 
> > > someone break into Linux kernel source, how do you guarant the quality 
> > > of the repositories? Security updates, system tools and so on are there.
> > > 
> > > Will Redhat be some guarantee to all these things?
> > 
> > Not necessarily, but... 
> > 
> > The packages are all signed with GPG if they are officially part of the
> > Fedora project. Your up2date/apt/yum should be configured to check these
> > signatures before installing anything, and to scream "bloody-blue
> > murder" if they are not correctly signed. 
> 
> Well, almost all non-redhat.com repos are GPG signing as well. GPG
> signed packages with keys from the same originating site only ensures
> that you get what the packager produced. The difference being that I
> would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;)
> 
> > You should be able to find the official keys and and explanation of
> > their uses here:
> > 
> > http://fedora.redhat.com/about/security/
> 
> Maybe RH could consider verifying some IDs of packagers/repos and sign
> their keys (and vice versa, RH's key is not signed by any other key)?
> That would be a good establishment to create a true web of trust.

Oh, part of that is here:

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x54A2ACF1

-- 
Chris Kloiber
Red Hat, Inc.




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux