You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, rpmkeys --import implies trusting that key: besides making it usable for signature checking, we allow installations of packages signed by that key (assuming enforcing mode as will be going forward)
It'd be useful, necessary even to differentiate between the two: If we consider a drop-in directory of pubkeys, any package can place a file in there, but trusting a package enough to install it does not mean we trust the package enough to write a open checks on our behalf.
The text was updated successfully, but these errors were encountered:
Currently, rpmkeys --import implies trusting that key: besides making it usable for signature checking, we allow installations of packages signed by that key (assuming enforcing mode as will be going forward)
It'd be useful, necessary even to differentiate between the two: If we consider a drop-in directory of pubkeys, any package can place a file in there, but trusting a package enough to install it does not mean we trust the package enough to write a open checks on our behalf.
The text was updated successfully, but these errors were encountered: