The key allows you to verify that a package was signed off on by the owner of the key. If you do not trust the key owner, you should not be installing packages from them. Remember a package installation script runs as root, so it can do literally anything to your machine. So, I'd say that yes, there would be a massive risk in importing a key from someone you did not trust.
|