On Mon, Sep 12, 2005 at 10:36:36AM +1000, O Plameras wrote: > Different persons have different yard sticks for deciding whether to > TRUST or NOT TRUST mirrors.
Er, if you get the gpg key from a trusted site, then download the packages from the mirror you don't HAVE to trust the mirror. (as long as you believe gpg / yum / apt is not broken) There are many instances of not only mirrors but master sites of FOSS software being hacked into. I've never heard of a successful man-in-the-middle attack against yum/apt/gpg. Still I sort of agree with you that getting the gpg key from a know 'trusted' mirror like planetmirror is not a huge risk. I would at least check the finger print of the key against the master site or google. Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html