On Tue, 2006-10-24 at 20:48 -0700, Wolfgang S. Rupprecht wrote: > I just did a FC6/x86_64 clean install. I then tried "yum update" as > root and it also wanted to load new keys. > > # yum update > ... > Total download size: 20 M > Is this ok [y/N]: y > Downloading Packages: > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 > Importing GPG key 0x4F2A6FD2 "Fedora Project <fedora@xxxxxxxxxx>" > Is this ok [y/N]: n > > Needless to say this rang warning bells. Why would a fresh install > need to install some previously unknown keys? If they keys are legit, > shouldn't they have been loaded at the factory (so to speak)??? A cleam install has no public keys in the RPM database. > The worst aspect of this is that it trains users to blindly press "y" > when presented with questions that have strong security implications. > How is the average user supposed to even know if that request is legit > or not? A good point but at least it's consistent, in that the official repos need their keys importing just like a third party repo would. Paul.
