Installing content is by nature a security risk as it can reconfigure the installation and can do so for potentially malicious purposes. This is the case even when installing content that has no associated associated artifact. To mitigate this risk, p2 tracks the originating external sources of all content being installed and presents that information for review.
External content is typically installed via an https
connection that ensures that the content is security transported from the content authority to the receiver.
This does not guarantee that the content is trustworthy.
The user is encouraged to consider carefully whether the site and associated authority from which content is being downloaded is actually trustworthy.
In the case of content being installed from an unverified site or authority, the Trust Authorities dialog shows the units being installed along with the associated sites and authorities from which those units originate for the user's review and approval. The details of the so-called touch-points of each such unit present any configuration instructions that will be applied during installation. The user may choose which authorities are trusted, and may even choose to install content from all authorities in the future. If all the units originate from trusted authorities, installation will continue; otherwise it's aborted.
The Install/Update > Trust preference page's Authorities tab lists all the authorities considered as trusted and allows to add or remove authorities, or even to allow all content from all authorities to be installed without confirmation.