On Tuesday, November 5, 2002, at 05:05 PM, Benjamin Pflugmann wrote:
Actually, if you look through the cooker archives, you'll see I mentioned this exact same thing before. apt does it (or at least apt4rpm), so urpmi should do it as well.Moreover, gpg itself has a nice auto-retrieve option for automatic download of missing keys from keyserver. Provided keys used for signing packages are available there, it seems sufficient for me.I never use this. I don't like keys being automatically added to my keyring. It's too easy for abuse.Intersting. That points out another weakness. Automatic adding of keys to the keyring is not easy to abuse per se. The problem is that urpmi accepts a package as soon as the signature is verifies.That a package is correctly signed only says that it is really from the source it claims to be (I ignore the part that the key could have been tempered with). What is missing a check which sources you trust. Having a key in the keyring does not mean that I trust the owner of the key at all. It just means, that I trust that he really is the owner. So, in order to make this more secure, in addition to the signature, there should be a list of sources to trust rpms from to be configurable.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
