[lug] Red Hat Network Experience?

[Riggs, Rob]

That's not a valid line of reasoning. I would highly doubt that Red Hat
keeps their GPG keys on publicly accessible machines. It would be extremely
foolish to do so. The private GPG key that signs Red Hat's packages is very
likely kept on a secure build system.

The whole purpose of signing packages is that it is very difficult to keep a
publicly accessible machine 100% secure, and one must assume that it will at
some point be compromised and have legitimate packages replaced with
trojaned versions. The GPG signature gives one the ability to verify that
the packages one downloads from insecure sites were built by a trusted
source.

-Rob

-----Original Message-----
From: Rob Nagler [mailto:nagler at bivio.biz]

Another gripe is that when it runs interactively it prompts you if the
package doesn't have a GPG signature.  I learned quickly to run
"up2date -u", so I'm not bothered acknowledging something I have no
way of validating or invalidating.  The packages are imported over a
secure connection, so the only problem I could imagine is their
machine was compromised in which case anybody wanting to send a Trojan
horse to all customers would also have access to their GPG private
key.