Red Hat Bugzilla – Bug 144982
RPM-GPG-KEYs for third party RPMs
Last modified: 2007-11-30 17:10:58 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922 Description of problem: The /usr/share/doc/fedora-release-2 directory contains only six public keys. It would be nice if the public keys of well known providers of RPM packages for Fedora Core were included as well (for example fedora legacy, fresh rpms and others). Probably they should be in a seperate directory along with an explanation that you provide no guarantee whatsoever about the quality of rpm packages from these sources. Having the public keys installed by Fedora Core means users don't have to download them from an unauthenticated channel. Version-Release number of selected component (if applicable): fedora-release-2-4 How reproducible: Always Steps to Reproduce: 1. ls /usr/share/doc/fedora-release-2 Additional info:
The way you suggested doing it isn't that bad of an idea. However, it seems better to let each repo distribute its own keys (to deal with keys expiring, and give them more control to add packages signed with new keys). As for authentication, typically, downloading keys is not a big security problem - if it does become one, I'm sure someone will think of a better solution than including the keys in the OS. There's also the concern that including the keys of would be sanctioning the repos, many of which include packages of questionable legality or bad fit with Fedora Core's licensing goals.