[opensuse-kde] New key for KDE Community repo
Hi, I'm not a big fan of seeing new keys suddenly released for established repositories. Can someone confirm that the key issued today for the kde community repository is valid? Key Fingerprint: B782423BF0F73DB758DD40F282FA2B799F190A22 Also, we need to spend some time thinking about a better way of doing this key management thing. Are the keys perhaps already signed with some known key I can verify against? Anders -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
Am Dienstag 16 Februar 2010 19:13:32 schrieb Anders Johansson:
Hi,
I'm not a big fan of seeing new keys suddenly released for established repositories.
It wasn't suddenly. It was discussed here on this list. Some people wanted different vendor strings for the Community and Playground repos. So instead of bitching, check the archives first. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
Am Dienstag, 16. Februar 2010 21:45:54 schrieb Markus:
Am Dienstag 16 Februar 2010 19:13:32 schrieb Anders Johansson:
Hi,
I'm not a big fan of seeing new keys suddenly released for established repositories.
It wasn't suddenly. It was discussed here on this list. Some people wanted different vendor strings for the Community and Playground repos. So instead of bitching, check the archives first.
Not everybody trackes every thread, it was in the thread about vendor change in :Playground and :Community and that there will be a key change was pretty deep in there. So basicly that was unintended side effects not really thought about before (guessing here). The question about proper key distribution, signing and keys signing keys isn't something we are very fit here on -kde, that's propably why the key change was pretty sudden. Karsten -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
On 16/02/10 20:55, Karsten König wrote:
Am Dienstag, 16. Februar 2010 21:45:54 schrieb Markus:
Am Dienstag 16 Februar 2010 19:13:32 schrieb Anders Johansson:
Hi,
I'm not a big fan of seeing new keys suddenly released for established repositories. Not everybody trackes every thread, it was in the thread about vendor change in :Playground and :Community and that there will be a key change was pretty deep in there.
So basicly that was unintended side effects not really thought about before (guessing here).
The question about proper key distribution, signing and keys signing keys isn't something we are very fit here on -kde, that's propably why the key change was pretty sudden.
Karsten
Someone (Will?) should probably blog and post on openSUSE news about it like we did for the KDE:43 removal, please. Sorry to continue this discussion on -kde, but regardless of whether one knew about the key change there is a question about how to verify the new key is the correct new key. Maybe there should be a key list somewhere all signed by some SuSE master key? There was never any message containing the new key AFAIK. Regards. Tejas -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
Am Mittwoch, 17. Februar 2010 00:20:21 schrieb Tejas Guruswamy:
Sorry to continue this discussion on -kde, but regardless of whether one knew about the key change there is a question about how to verify the new key is the correct new key. Maybe there should be a key list somewhere all signed by some SuSE master key? There was never any message containing the new key AFAIK.
Regards. Tejas
You can try discussing that here, it's just that the experts about repository and package signing are located on the -buildservice list, or at least they'll have better pointers than most here do, if there is a sudden key change I mostly just ask in IRC if it changed, even though I know that's not how it should work ;-) Karsten -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
Am Mittwoch, 17. Februar 2010 00:20:21 schrieb Tejas Guruswamy:
On 16/02/10 20:55, Karsten König wrote:
Am Dienstag, 16. Februar 2010 21:45:54 schrieb Markus:
Am Dienstag 16 Februar 2010 19:13:32 schrieb Anders Johansson:
Hi,
I'm not a big fan of seeing new keys suddenly released for established repositories. Not everybody trackes every thread, it was in the thread about vendor change in :Playground and :Community and that there will be a key change was pretty deep in there.
So basicly that was unintended side effects not really thought about before (guessing here).
The question about proper key distribution, signing and keys signing keys isn't something we are very fit here on -kde, that's propably why the key change was pretty sudden.
Karsten
Someone (Will?) should probably blog and post on openSUSE news about it like we did for the KDE:43 removal, please.
Sorry to continue this discussion on -kde, but regardless of whether one knew about the key change there is a question about how to verify the new key is the correct new key. Maybe there should be a key list somewhere all signed by some SuSE master key?
How would this help you ?
There was never any message containing the new key AFAIK.
The public keys can be requested via "osc signkey" and they are part of the repos. They are signed by the OBS default key, but that gives you not much information. You still can't judge about the repo, if you should add it or not, because you need anyway decide based on the project/repository setup. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
On 17/02/10 07:34, Adrian Schröter wrote:
Am Mittwoch, 17. Februar 2010 00:20:21 schrieb Tejas Guruswamy:
Sorry to continue this discussion on -kde, but regardless of whether one knew about the key change there is a question about how to verify the new key is the correct new key. Maybe there should be a key list somewhere all signed by some SuSE master key?
How would this help you ?
If you were suspicious that someone had taken advantage of the key-change to attack, you would want to know what was the "correct" new key from some other trusted source.
There was never any message containing the new key AFAIK. The public keys can be requested via "osc signkey" and they are part of the repos. They are signed by the OBS default key, but that gives you not much information.
This is the step I was missing, assuming the osc api is secure enough, and you trust the maintainers of the repository and the OBS default key, this is probably enough verification. Regards, Tejas -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org
participants (5)
-
Adrian Schröter
-
Anders Johansson
-
Karsten König
-
Markus
-
Tejas Guruswamy