Dell team, are all of the packages no signed with the new GPG key? Or are we going to have to hold onto the old key as well as the new one?
-Erinn On 06/27/2018 09:44 AM, John Hodrien wrote: > On Wed, 27 Jun 2018, Paul Raines wrote: > >> Definitely should have used https instead of http at least. Other >> than that >> is it pretty common and not really different than click downloading a >> *.bin >> install file and running it with bash (I think Oracle Java still does >> this) > > Sure, but that doesn't make it nice. > >> Having public keys you download from an https site at a clear dell >> URL that you install by hand and then only install rpms with yum is a >> tad better. But pre and post scripts in RPMs can run anything they >> want via bash. Ultimately it still comes down to trusting Dell and >> the integrity of Dell's website certificate > > Trusting Dell's website certificate still means you man-in-the-middle > protected. > > Look at how EPEL/ELrepo/most other repositories do it. You provide a > dell-release RPM, signed with their signing key, which is made > available over > HTTPS. > > First time you use it, you can download the release RPM, validate it > to your > satisfaction that it's legit, and put that into your internal repos, > optionally resigning it or whatever else you'd like to do. > > Any changes Dell then want to make to their repositories they can > release as > an updated dell-release RPM, and nobody has to play games like this. > > jh > _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
