place the pgp keys for the signers in your keyring then require pgp keys for the repositories. then packages whose signatures can't be trusted or where the md5sums don't match the actual package... if you don't do that it's entirely possible that you're installing a trojaned package... There are a number of other reasons why a mirrors package might not match, but the most likely reason is corruption in transit or storage and you probably don't want to install a corrupt package anyway. joelja On Tue, 10 Feb 2004, Dan Stoner wrote: > Hi, > > I think yum is a great tool for easing the install and update of > packages. However, I'm a little concerned about the security of getting > patches this way, especially with the recommendations of changing the > yum.conf to include servers that are "closer." > > Would anyone do this on a server? Would you trust the core repository > more than the mirrors? Am I crazy even for considering Fedora for a > server installation? > > > After installing Fedora Core 1 and running yum update, some of the > package updates display "MD5 digest: BAD". Apparently, these packages > did not have the expected checksums. I believe they installed anyway. > > My initial response was to freak out about this, but some other linux > jockies I spoke with said "no, that's normal, I see that all the time.". > > Thanks for your thoughts. > > - Dan > > > -- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@xxxxxxxxxxxxxxxxxxxx GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
