Le lundi 01 novembre 2004 à 11:47 -0500, Peter Jones a écrit :
On Sat, 2004-10-30 at 01:11 +0200, Matias Féliciano wrote:
Since rawhide have some unsigned packages I like to know which package is not signed and I sign them with my key (so yum always have "gpgcheck=1") : I mirror rawhide in the i386 directory with rsync, and then I sign package that miss gpg. Note, I don't sign (that is, change) any package in i386 directory (rsync does not like this).
When somebody organizes a man-in-the-middle attack between you and whichever site you rsync rawhide from , you sign the packages anyway. Can you see how this is a big problem?
I don't understand your point. If you think what I am doing is completely useless, you are right.
I just enjoy a placebo effect :-)
Second point, right now there are three unsigned packages : rpmdb-fedora-3-0.20041101.i386.rpm gthumb-2.4.2-4.i386.rpm fedora-release-3-rawhide.noarch.rpm
Should I set "gpgcheck=0" in yum.conf only for these three package ?