[packagekit] GNOME summit and more about GPG keys

Richard Hughes hughsient at gmail.com
Wed Oct 10 12:26:00 PDT 2007


On Wed, 2007-10-10 at 20:29 +0200, Alexander Boström wrote:
> ons 2007-10-10 klockan 10:25 -0400 skrev Robin Norwood:
> 
> > All of the repos I see with a quick check have the gpgkey option set to
> > file:///etc/pki/rpm-gpg/FOO - isn't that enough?  (And this is before
> > the gpg key is actually imported). 
> 
> Ok, how about this... (I'm going to ignore non-yum now, because I don't
> know much about the subject.) Let's for the sake of argument assume that
> PK assumes that all .repo files are installed using RPM:s and that they
> all use gpgkey=file://etc/pki/.... and include that key in the RPM. It
> auto-accept all those and fails with an error on any other keys. Then it
> would Just Work, for most repos.

Yes. If a key is in /etc then it's sane to trust it by default IMO.

> It still wouldn't be secure, but neither would it hide any security
> problems which are visible with current tools, so it's not a step
> backwards.

I'm not sure any of this is a security measure, it's more to protect
people from lawyers :-)

Richard.





More information about the PackageKit mailing list