[13.Eyl.07 01:36 +0300] Sertaç Ö. Yıldız:
[12.Eyl.07 15:43 -0400] seth vidal:
On Wed, 2007-09-12 at 21:42 +0200, Nicolas Mailhot wrote:
I hope yum has a check somewhere to forbid installation of unknown default-on repositories.
how on earth would yum know? Do you want yum to have special behavior if it detects a .repo file?
Not for .repo files, but it would be nice to check for GPG keys it installs.
On a second thought, I realized that yum cannot do anything about trust at the moment. And my mindset about trust here (based on public keys being installed or not) was completely flawed. I’ve seen a package executing “rpm --import” from postinstall scriptlet and maybe it’s possible even from preinstall.
If I cannot express my distrust on a repository (or specifically a public key) I cannot express my trust either. And probably this must be solved at the rpm level.
Rpm apparently has some (undocumented) code about this: | $ rpm --trust | --trust: missing argument
But IIUC at the moment it handles the situation similar to what I’d thought: NOTTRUSTED is similar to NOKEY.
As it is, GPG signature verification reduces to a mere integrity check if one wants to use external repositories.