Re: Yum is great, but do you trust them?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks to everyone who posted and gave detailed responses. I feel better about using Fedora in general, and now have my linux box updating daily using yum.

To summarize, and combined with some other threads on this list, info on the web, etc....

how to set up Yum updating on fedora core 1:

1. import the fedora GPG key so we can verify the integrity of the downloaded packages.

 rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora

2. modify /etc/yum.conf to enable gpg checking and to use the mirrors of my choice. Note that the directory structure of the mirrors seems to be different than what is in the default yum.conf. The $releasever and $basearch variables _should_ allow us to move beyond fedora core 1 without having to change the yum.conf file.

[base]
name=Fedora Core $releasever - $basearch - Base
#baseurl=http://fedora.redhat.com/releases/fedora-core-$releasever
baseurl=http://www.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/$releasever/$basearch/os
gpgcheck=1

[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
#baseurl=http://fedora.redhat.com/updates/released/fedora-core-$releasever
baseurl=http://www.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/updates/$releasever/$basearch
gpgcheck=1

3.  update!

 yum update

4. enable the yum service, which uses a daily cron job to get updates automatically

 chkconfig yum on
 service yum start


Regards,

 Dan Stoner

Joel Jaeggli wrote:

in /usr/share/rhn are two files...

RPM-GPG-KEY-fedora
RPM-GPG-KEY-fedora-test

doing an:

rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora

will import the fedora public key into rpm's keyring... the other is used to sign the packages in the testing dir.

then add:

gpgcheck=1

to the server sections of your yum.conf

then you can:

yum update 

without fear of bogus packages...

for third party packages and repositories like atrpms dag or freshrpms there are generally more public keys you can add to validate those packages as well...



On Tue, 10 Feb 2004, Dan Stoner wrote:


Joel Jaeggli wrote:


place the pgp keys for the signers in your keyring then require pgp keys for the repositories. then packages whose signatures can't be trusted or 

How do I place the pgp keys into my keyring?

My google search returned way to much information.

Thanks!

-Dan








[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux