2009/9/16 John Summerfield <[email protected]>: > Brandon Perkins wrote: >> >> This is because the Red Hat package signing key was not imported into >> the RPM database. This happens if you have not yet connected to Red Hat >> Network and obtained updates. To import the key manually, run the >> following command as root: >> >> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release >> >> Once the Red Hat GPG key is imported, you may now use yum to install >> packages. > > Why is that not done at install time? The act of installing RHEL implies > trust of the supplier, so what's the problem? > >
Well, this is pretty obvious. The fact that you trust the supplier does not imply that you trust the media you are installing from. Even if they were shipped in a pretty box with undamaged shrink-wrap I could still imagine some ingenious villain trying to dupe me. Of course, if you are running Ma&Pop shop it's not too probable. OTOH if you are a government agency, you may be worth targeting. To preserve consistent behaviour across all types and sizes of customer Red Hat decided not to import the key at system install time. If you trust the media, you have the key just there. You may of course opt for trying to obtain the key from a person you can identify as a Red Hat employee authorised to pass such a key.Or do something in-between these two extreme cases. Your level of paranoia may vary ;). Regards, Paweł _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
