Hello there - today at my door arrived another bunch of unsigned java
packages. This is what happens next: automatic updates of all machines
on site at TRIUMF are configured to refuse to install unsigned packages,
so installation of java packages fails, blocking any further
updates (no matter how urgent or important) until somebody manually
goes to each SL machine on site and updates the java rpms
manually (well, runs a script that runs rpm --install).

Surely this situation is not ideal and this problem has been
communicated to the perpetrators: packagers of java ought
to sign their stuff and authors of yum should fix this denial
of service vulnerability (where any bum package prevents
installation of security updates).

In the mean time, could java rpms be signed with the SL key?

Note that disabling the signature checks is a bad idea - in this case,
all machines on site are automatically owned if ftp.sl.org
or the local mirror site or the mirroring process becomes
compromised (think: DNS is tricked to resolve ftp.sl.org into an ip
address of an trojan ftp site full of trojaned rpms). This is not
theoretical, it is something that did happen to other linux distributions.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada