[Rpm-maint] [rpm-software-management/rpm] RFE: differentiate between known and trusted keys (Issue #3358)
Panu Matilainen
notifications at github.com
Fri Oct 4 06:36:43 UTC 2024
Currently, rpmkeys --import implies trusting that key: besides making it usable for signature checking, we allow installations of packages signed by that key (assuming enforcing mode as will be going forward)
It'd be useful, necessary even to differentiate between the two: If we consider a drop-in directory of pubkeys, any package can place a file in there, but trusting a package enough to install it does not mean we trust the package enough to write a open checks on our behalf.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3358
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3358 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241003/09fc0b2a/attachment.html>
More information about the Rpm-maint
mailing list