Michael Catanzaro wrote on Mon, Jul 04, 2022 at 05:48:28PM -0500: > After installing or upgrading your Fedora or RHEL system, you have to accept > a "do you trust this official Fedora project key" prompt or you cannot > install packages from the official repos. So all our users have been trained > to ignore warnings about untrusted packages because it's mandatory to do so. > If few users think twice about accepting a key as long as it purports to be > from "Fedora" or "Red Hat"... well, the whole system is subverted. This > needs a rethink.
The keys come from the installed key packages and have already been written to /etc when that prompts happen -- users can trust these keys because they trusted the package that wrote them in the first place. That being said, you could just as well look at it the other way and say that if something malcious can write keys there they could also accept the prompt for you so you wouldn't see it -- hence the prompt can be said to be useless one way or the other... -- Dominique Martinet | Asmadeus _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
