Marcus Meissner wrote:
While once you have a repository added the GPG key is known and imported, the initial import of software repositories is tricky and needs to rely on some form of man in the middle protection.
https is some form of solution here.
I've seen sites use https for "login" but http for bulk content. I've seen ssh patches that allow unencrypted transfer of bulk content (like using scp), but disallow unencrypted access for interactive sessions -- for exactly the same reason -- the encrypting of the connection noticeably slows down speeds with the difference being more noticeable the faster the connection gets. Though -- isn't it possible to offer *both* connection types -- staying with whatever protocol the user connects with? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org