Welcome in the head of a user! (check Open Advice page 121 to know where does this post come from)
Last week I upgraded to Fedora 19, at work.
For the first update of this new release, the user needs to say that she trusts the source of a package. The “help” page is quite hard to understand, which is a problem.
- Repository name: rpmfusion-free-updates
I know rpmfusion but have never heard of this “free updates” thing.
- Signature URL: /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-19
Perfect, it gives me a PGP public key. But it’s in /etc, which means that this key already magically arrived on my computer? Why? How? When? How do I verify it?
- Signature user identifier: RPM Fusion free repository for Fedora (19) <firstname.lastname@example.org>
Sure, but it doesn’t really help. Does it just mean that I should write to a mailing list to tell them that I don’t get what they are trying to tell me to do 😀 ?
- Signature identifier: 172FF33D
Ha, that looks useful. But again, I don’t know where to verify it.
Strange name… I don’t know what it is or what it is for. If I say that I don’t want to trust this package, the general update process stops.
- Do you recognize the user and trust this key?
Well, no I don’t. But I still want my other updates! Having security pop-ups is good, but not if it confuses the user more that it helps her.
The help page says
To trust a repository, you should verify the details of the signing key. Normally the best way to do this is to go to the web page of the software source, and try to find details about the key used to sign the packages. This is normally called a GPG key.
You should only proceed with this dialog if you are happy to trust packages from this software source.
Fine but there’s no URL in the pop-up. Should I check the website of rpmfusion, of Fefora (19), or this “gstreamer…ugly” package?
Result: I’m stuck.
Verifying the keys is important, I would like to know how to do it. 90% of not very technical users would just click yes in this situation, because a computer needs to work and not just to bother us.
Next step: contact someone involved in the fedora project and improve the documentation.