Les Mikesell writes:
Sam Varshavchik wrote:There's no technical reason why an rpm file cannot include the URL of any repositories that provide packages any needed dependencies, together with the repositories' keys.That sort of defeats the purpose of having keys unless you are prepared to trust anyone potentially downstream in such a cascading arrangement.It would also add many more points that can change and make updates even less repeatable than they are now.
If you trust a repo's maintainer, and you've imported repo's keys, and the maintainer builds a package with dependency on another third party repo, the maintainer puts the third party repo's URL and keys into the package, and signs the package with his key. You already trust the key, because you're pulling packages from the repo already. So, you're going to have to make a call. Either reject the third party repo's, but then the update will be rejected since the dependency won't be satisfied, or accept the third party repo's keys, and pull in the rest of the dependency.
Fundamentally, this is no different than the stock PGP web of trust mechanism. You are already trusting one third party repo that you're updating your packages from. A part of that trust, which you must understand, involves trusting whatever other third party repo the first repo itself is trusting.
Attachment:
pgpQbSMN4dze6.pgp
Description: PGP signature