auto importing rpm gpg public keys from keyserver

[Andrea Arcangeli]

On Thu, Jun 15, 2006 at 04:53:52PM -0400, Jeff Johnson wrote:
> pgpImportPubkey parses an armored pubkey, checking the CRC,

Actually the unarmored one (I tried the armored one first and it didn't
work, and the unarmored was faster and smaller anyway).

> and wraps ithe blob in a header using pubkey packet parameters like
> fingerprint and creation time.

So it should be all right if the fingerprint is being checked too.

> Meanwhile, I'm very happy to see smart become opt-out rather than opt-
> in wrto rpm pkg signature verification.

Obviously agreed.

>     Prefer signatures over digests over sanity.

If there's no signature the import from keyserver should fail and we're
safe.

>         Prefer header-only over header+payload.
>              Prefer DSA over RSA. (not for any important reason, the  
> RH key is/was DSA.)

This should be ok.

> Still, the choice is way too goosey-loosey for serious crypto.

It still sounds better than no crypto at all ;)