On Tue, Apr 04, 2006 at 03:23:56PM +0200, houghi wrote: > On Tue, Apr 04, 2006 at 02:29:58PM +0200, Joachim Werner wrote: > <snip great explanation> > > Now for the problems with YaST and installation sources you may have faced > > in > > the last couple of days: > > > > The problem is that the signature checks are already in place, but the GUI > > and > > command line options that let you import non-SUSE keys, override key > > checking > > and integrity checking are not in place yet. > > OK. That was what I figured out eventually. ;-) > > > With the final product you will be able to switch all the checks off, so > > you > > can still use sources that do not use any signing or checksums. But > > currently > > there are a few bugs with YaST expecting a signature to be there etc. > > Somehow I managed to work around that and get non-signed RPM's on a iso. > This with just editing the content of one file. This means that even > though people think they have the real deal, they might get an infected CD > or DVD. > > Does this then not kill of the purpose of the signing? It makes it possibe > to get insecure things installed. All it does is remove the ^META and ^KEY > from ./content.
No, since we also sign the Packages / repomd.xml files and these contain the SHA-1 / SHA-256 sums of the packages. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
