On Thu, Jul 23, 2009 at 07:04:57PM -0700, Kelvin Raywood wrote:
> Connie Sieh wrote:
> >>The yum-conf should have been updated automatically unless it has been 
> >>changed and in that case the .rpmnew was made.
> 
> Yes.  This is the whole point.  If you have modified the .repo files to 
> enable signature checking, then your .repo files will not automatically 
> get the path to the new key.  Thus packages in the repo signed with the 
> new key cause updates to fail.


From security side, I think it is good that the attempt to automatically
change the SL keys had failed.

Just think - what if instead of good Connie, these were evil hackers
who broke in into the SL master repository and pushed a trojan yum config
package with trojan gpg keys. They would own every SL machine everywhere,
overnight.

Perhaps the changing of a master signature is a very significant
event that has to be handled manually. (think "checks and balances").


-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada