jdow wrote:
Suppose I have NO RedHat installed. I have no working computer near
me. I want to install Fedora 9. How do I establish the ability to
subject the packages to tests for being properly signed, that the
key used in the test is correct, and that I am reading and updating
from a legitimate mirror?
This is the same issue you have with SSH, or encrypted web pages.
Who certifies the certificators? Diffie and Hellman solved the
key distribution problem, but the only way we know of to know that
you've got the right public key is to perform the initial transfer in
person, and then build a "web of trust" as has been mentioned.
If this can be done once in an initial install situation it can be done
again in an update situation using the same mechanism.
One way is to download the stuff from Red Hat's site itself,
and trust that no one has managed to intercept your communications.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
