Hello there - today at my door arrived another bunch of unsigned java packages. This is what happens next: automatic updates of all machines on site at TRIUMF are configured to refuse to install unsigned packages, so installation of java packages fails, blocking any further updates (no matter how urgent or important) until somebody manually goes to each SL machine on site and updates the java rpms manually (well, runs a script that runs rpm --install). Surely this situation is not ideal and this problem has been communicated to the perpetrators: packagers of java ought to sign their stuff and authors of yum should fix this denial of service vulnerability (where any bum package prevents installation of security updates). In the mean time, could java rpms be signed with the SL key? Note that disabling the signature checks is a bad idea - in this case, all machines on site are automatically owned if ftp.sl.org or the local mirror site or the mirroring process becomes compromised (think: DNS is tricked to resolve ftp.sl.org into an ip address of an trojan ftp site full of trojaned rpms). This is not theoretical, it is something that did happen to other linux distributions. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada