On 12/20/2015 02:28 PM, Gordon Messmer wrote:
On 12/20/2015 10:10 AM, Alice Wonder wrote:
Yes, but I've run into instance where curl does not work for https -
for example I believe if ECDSA TLS certificate is being used on the
server, curl doesn't work. Not sure about wget.
Why do you think
On 12/20/2015 01:28 PM, Always Learning wrote:
On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:
RPM has ability to install a package over the network.
rpm -i ftp://example.org/foo-2.2.noarch.rpm
Thanks for the new knowledge.
The point I'm trying to make though is that yum could
On 12/20/2015 12:44 PM, Alice Wonder wrote:
The point I'm trying to make though is that yum could benefit from the
ability to verify the fingerprint in a key it is importing matches a
DNS query for the user and domain the key claims to be for.
I think we understand your point. The solution tha
On 12/20/2015 10:10 AM, Alice Wonder wrote:
Yes, but I've run into instance where curl does not work for https -
for example I believe if ECDSA TLS certificate is being used on the
server, curl doesn't work. Not sure about wget.
Why do you think the solution is to make yum behave well when ther
On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:
> RPM has ability to install a package over the network.
>
> rpm -i ftp://example.org/foo-2.2.noarch.rpm
Thanks for the new knowledge.
> The point I'm trying to make though is that yum could benefit from
> the ability to verify the finge
On 12/20/2015 12:16 PM, John R Pierce wrote:
On 12/20/2015 4:26 AM, Ned Slider wrote:
Unless I'm mistaken RPM in el5 does not support the https protocol.
did you mean Yum ? rpm is just a file format for packages, and a
package installer program, its yum that does the network operations to
On 12/20/2015 4:26 AM, Ned Slider wrote:
Unless I'm mistaken RPM in el5 does not support the https protocol.
did you mean Yum ? rpm is just a file format for packages, and a
package installer program, its yum that does the network operations to
fetch the packages, and as far as I understand
On 12/20/2015 10:05 AM, Gordon Messmer wrote:
On 12/20/2015 04:26 AM, Ned Slider wrote:
Unless I'm mistaken RPM in el5 does not support the https protocol.
In that case, users should use curl or wget to retrieve the rpm over
https before installing it.
Yes, but I've run into instance where
On 12/20/2015 04:26 AM, Ned Slider wrote:
Unless I'm mistaken RPM in el5 does not support the https protocol.
In that case, users should use curl or wget to retrieve the rpm over
https before installing it.
___
CentOS mailing list
CentOS@centos.org
On 20/12/15 10:28, Gordon Messmer wrote:
> On 12/19/2015 09:49 AM, Alice Wonder wrote:
>>
>> With third party repositories the key and configuration file is often
>> distributed separately. That's the potential attack vector for trojan
>> keys.
>
> Examples?
>
> All of the notable repositories
On 12/19/2015 09:49 AM, Alice Wonder wrote:
With third party repositories the key and configuration file is often
distributed separately. That's the potential attack vector for trojan
keys.
Examples?
All of the notable repositories that I'm aware of publish an
x-release.rpm that installs t
On 12/19/2015 10:27 AM, Always Learning wrote:
On Sat, 2015-12-19 at 09:49 -0800, Alice Wonder wrote:
DNS verification solves that issue.
How reliably safe is that ?
Crack the DNS access and inflict viruses, trojans etc. with authorised
impunity ?
Happy Christmas.
No, if you manage to c
On Sat, 2015-12-19 at 09:49 -0800, Alice Wonder wrote:
> DNS verification solves that issue.
How reliably safe is that ?
Crack the DNS access and inflict viruses, trojans etc. with authorised
impunity ?
Happy Christmas.
--
Regards,
Paul.
England, EU. England's place is in the European
On 12/19/2015 02:12 AM, Gordon Messmer wrote:
On 12/15/2015 07:05 PM, Alice Wonder wrote:
The first time yum installs a package, it asks to import the GPG key
used to sign the packages. Most people accept without validating the key.
While that is true, it is important to note that yum will o
On 12/15/2015 07:05 PM, Alice Wonder wrote:
The first time yum installs a package, it asks to import the GPG key
used to sign the packages. Most people accept without validating the key.
While that is true, it is important to note that yum will only import
keys that are already installed on di
On 16/12/15 03:05, Alice Wonder wrote:
> I'm not on the yum / RPM list and I don't know that I want to join just
> to discuss this but with respect GPG keys - it is a classic example of
> trust on first use.
>
> The first time yum installs a package, it asks to import the GPG key
> used to sign th
16 matches
Mail list logo
