Matthew Hannigan wrote:
On Mon, Sep 12, 2005 at 10:36:36AM +1000, O Plameras wrote:
Different persons have different yard sticks for deciding whether to
TRUST or NOT TRUST mirrors.
Er, if you get the gpg key from a trusted site, then download the
packages from the mirror you don't HAVE to trust the mirror.
(as long as you believe gpg / yum / apt is not broken)
It can be asked, why not use the gpg-key from the mirror to download as it
will not download if gpg-key does not have integrity ?
There are many instances of not only mirrors but master sites
of FOSS software being hacked into. I've never heard of a successful
man-in-the-middle attack against yum/apt/gpg.
Still I sort of agree with you that getting the gpg key from a
know 'trusted' mirror like planetmirror is not a huge risk.
I would at least check the finger print of the key
against the master site or google.
Matt
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
