Hi. On Wed 2002-10-30 at 10:05:21 -0700, Vincent Danen wrote: [...] > > Moreover, gpg itself has a nice auto-retrieve option for automatic > > download of missing keys from keyserver. Provided keys used for > > signing packages are available there, it seems sufficient for me. > > I never use this. I don't like keys being automatically added to my > keyring. It's too easy for abuse.
Intersting. That points out another weakness. Automatic adding of keys
to the keyring is not easy to abuse per se. The problem is that urpmi
accepts a package as soon as the signature is verifies.
That a package is correctly signed only says that it is really from
the source it claims to be (I ignore the part that the key could have
been tempered with). What is missing a check which sources you trust.
Having a key in the keyring does not mean that I trust the owner of
the key at all. It just means, that I trust that he really is the
owner.
So, in order to make this more secure, in addition to the signature,
there should be a list of sources to trust rpms from to be
configurable.
[...]
> Better yet, there should be a keyring outside of root's keyring that is
> read-only by users and read/write by root (not in /root/.gnupg) that
> contains rpm gpg keys. That removal from the user environment
> (especially root) adds another level of integrity.
No need to seperate the key rings. A little config which list the keys
to trust for such operations sounds as enough. This could even be done
in a way that not each key is valid for each source, i.e. a key for
plf shouldn't necessarily be valid for a package coming from mdk.
Greetings,
Benjamin.
msg80753/pgp00000.pgp
Description: PGP signature
