On 8/22/07, Jesse Keating <jkeating@redhat.com> wrote:

There aren't requirements, however given that our software is mirrored
around the world and our tools are made easy to make your own Fedora,
it's possible that somebody could start handing out spoofed Fedoras.
If the key you're asking to import says it's Fedora, but the public key
servers don't match this key, that's a very quick indication that you
should stop using the system as it's been compromised in some way.

Jean is a physics researcher at CERN.  He installed Fedora on his workstation because he's developing some parallel computation software related to his hypothesis using MPI, and he likes Linux as a development environment.  He is helping to discover the fundamental properties of the universe.

Jean is smarter than anyone posting in this thread. 

People keep making the assumption that reducing questions is designing for "dumb" users.  In fact, we're designing for users who have *more important things to do*.

We should make sure we're not stopping Jean in the middle of his work with a question like "Do you trust this hex number?".  It's not that he couldn't answer it, but we certainly don't make it easy to do so "correctly" (which I guess is browsing to pgp.mit.edu and manually entering the hex number and making some sort of wild guess based on other signatures).

The obvious default policy to me is:

* Fedora trusts the GPG keys it ships
* All other keys are denied

The scenario where this does break down is installing software from other sites like livna.  If we have some sort of hoop there in the process that's probably fine.  Maybe you have to "sudo rpm -ivh http://livna.org/gpg.asc", or click some dialog.  Firefox makes users installing extensions wait 3 seconds.

What I would do is be very realistic though - 99.99% of people are just going to click "OK" to random dialogs popping up, and there is nothing we can do to change that.

Also it's easy enough to install some piece of software off the net
that drops a yum repo file in place and starts handing you packages
from another repo.  

If you installed an RPM from an untrusted source, you have already lost.  It can execute arbitrary code in %post, or overwrite /lib/libc.so, the possibilities are endless.