LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 10-22-2003, 07:31 AM   #1
eye
Member
 
Registered: May 2003
Distribution: fedora 1
Posts: 137

Rep: Reputation: 15
why warning message is appear?


[root@localhost root]# rpm -i ftp://rpmfind.net/linux/freshrpms/re...8-fr2.i386.rpm
warning : /var/tmp/rpm-xfer.K3Rwdf: V3 DSA signature: NOKEY, key ID e42d547b

why warning message is appear? what' wrong?
 
Old 10-22-2003, 07:40 AM   #2
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 429Reputation: 429Reputation: 429Reputation: 429Reputation: 429
The warning message simply means that this file is signed and you don't have a copy of the key on your system.

It's, slightly, analogous to the driver disk signing on Windows.

The rpm should still install and since you obviously trust the place the file came from I wouldn't worry about it.
 
Old 10-22-2003, 09:10 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
As example, for RPM's signed by RedHat the explanation and key are at
http://www.redhat.com/solutions/secu...publickey.html


XavierP wrote: The rpm should still install and since you obviously trust the place the file came from I wouldn't worry about it.
The problem with propagating proper package signing is just this enduser behaviour. People tend to think just because it's from (what they think is) a "trustworthy" site it's good enough. Well, it just isn't from a security point of view. DNS takeovers aren't impossible and in the past download locations of OpenSSH, Sendmail, TCP wrappers, Aide etc etc where compromised, and that should make it clear packages w/o pubkey sign are NOT trustworthy, regardless of what you think the source is. And MD5summing packages is helpfull but not good enough. Until developers and distributors start taking a different approach towards security and will sign by default, installing a package will remain a risk.
Help turning that risk into an acceptable risk is everyone's responsability.
 
Old 10-22-2003, 09:14 AM   #4
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 429Reputation: 429Reputation: 429Reputation: 429Reputation: 429
unSpawn - very true, big slap on the wrist for me.

Actually, second thoughts, big slap also for the distros and the sites themselves. If the key isn't there we should have to 'force' the install rather than just getting a warning and having to go back and uninstall. By which time the damage may have been done.

At least Microsoft give you the option of not installing unsigned drivers. Maybe a suggestion should be made to the distro makers.

Last edited by XavierP; 10-22-2003 at 09:18 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Partition warning message? kushalkoolwal Programming 4 10-19-2005 03:38 PM
warning message before log in noms Fedora - Installation 1 03-16-2004 08:43 PM
Warning message during bootup Akajack Linux - Newbie 2 09-19-2003 11:44 PM
Boot Warning Message enlight1 Linux - General 6 06-18-2003 01:15 AM
Warning Message at startup onlyhuman9 Linux - General 1 11-29-2001 10:00 PM


All times are GMT -5. The time now is 03:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration