Tim wrote:
On Mon, 2006-06-12 at 12:31 +0100, Paul Howarth wrote:
Yum, or rather rpm, has no pre-imported keys at all. Every one of them
is installed as a resutt of some post-installation action, such as
running a "yum update". The keys are supplied out-of-the-box in the
fedora-release package, but they're not pre-imported into the rpm
database.
That would seem to be a bit of a security problem. You're trusting the
first key you get to be true, with nothing to verify against but itself.
It needn't be. The key file itself is part of an RPM package
(fedora-release), and that package is itself signed. The installer
(anaconda) could check the GPG signature of the package when installing
it (I don't know whether it does or not though).
Paul.
