* jdow <jdow@xxxxxxxxxxxxx> [20080905 08:56]:
> Suppose I have NO RedHat installed. I have no working computer near
> me. I want to install Fedora 9. How do I establish the ability to
> subject the packages to tests for being properly signed, that the
> key used in the test is correct, and that I am reading and updating
> from a legitimate mirror?
In this event you are likely installing from physical media, which
will have the public key on it already. If you do not trust that media
- why are you installing from it?
Once you have installed the system - the updates you are pulling down
will be verified with the key that was on the media - unless you
actively go and switch off the gpg checking.
The part about how to distribute the new public key - that is the
thing that the infrastructure team is debating how to best do now.
Nitpicking - it is spelled "Red Hat".
> If this can be done once in an initial install situation it can be done
> again in an update situation using the same mechanism.
>
> {^_^}
As others have already pointed out - it's a question of trust. At some
point or other - you have to decide what you trust. If you do not
trust something, do not use it (and then live with the consequences of
that choice).
If you decide not to trust passports, you will simply find it a bit
hard to travel from country to country. If you don't trust the Fedora
key, you'll find it a bit hard to use Fedora.
My view of the Fedora public key is that it is a means to verify the
integrity of the packages coming from the Fedora repo's. That the
package is originating from Fedora, and not from untrusted 3rd
party and that the packages have not been tampered with in
mid-flight. If you don't trust the method by which packages are
downloaded, verified and installed by yum - maybe you'd trust going to
the Fedora download site and grabbing the packages, one by one, and
installing them by hand?
This is a potential solution actually. If you don't trust https:// to
the download section of Fedora - you don't trust Fedora full stop. So
providing a page with the new key, and instruction for what to change
and how, on your system to point at the new repo's should satisfy even
the most paranoid people on this list. As the packages are signed with
the new key, and if you remove the old key - you should be OK. Right?
Yes - it requires manual interaction, it'll be a PITA etc etc ad
nauseum. You have a better, more trustworthy idea? Let's hear it.
/Anders
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
