https://bugzilla.novell.com/show_bug.cgi?id=654346
https://bugzilla.novell.com/show_bug.cgi?id=654346#c0
Summary: repository in Buildservice
openSUSE:/11.3:/Contrib/standard/ is broken
Classification: openSUSE
Product: openSUSE.org
Version: unspecified
Platform: Other
OS/Version: openSUSE 11.3
Status: NEW
Severity: Major
Priority: P5 - None
Component: Download Infrastructure
AssignedTo: lrupp@novell.com
ReportedBy: david.werner@iws.uni-stuttgart.de
QAContact: lrupp@novell.com
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.5; Linux) KHTML/4.5.2
(like Gecko) SUSE
The Repository
http://download.opensuse.org/repositories/openSUSE:/11.3:/Contrib/standard/
is broken.
The repokey repodata/repomd.xml.key is:
pub 2048R/3DBDC284 2008-11-07 openSUSE Project Signing Key
while the packages as 3dto3d-3.5-62.1.i586.rpm are signed with key ID:
3c51f898.
Automatic update fails, autoyast fails if want wants not to switch to insecure
settings etc, user can get irritated by not matching keys. Thus content of
repository renders quite unusable to a serious person.
additional remarks:
Please do not change to often keys of existing repositories and if change is
unavoidable do it in the right way.
There should be also infrastructure which tells admins and users about which
keys are in use or have changed at which time. package keys should also be
signed, that an user can verify signatures by a web of trust? Is that too
complicated?
Reproducible: Always
Steps to Reproduce:
1. apply 'gpg repomd.xml.key'
2. apply 'rpm -qp 3dto3d-3.5-62.1.i586.rpm'
3.
Actual Results:
keyids of repository-key and signature within rpm are different
Expected Results:
keyids of repository-key and signature within rpm within rom should/must be imo
the same
Existing installations procedures like autoyast with it as add-on repository
and update-procedures fail or get noisy.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.