Mailinglist Archive: opensuse-bugs (5051 mails)

< Previous Next >
[Bug 752105] Permanent PGP-key changes on several repositories

https://bugzilla.novell.com/show_bug.cgi?id=752105

https://bugzilla.novell.com/show_bug.cgi?id=752105#c3


Frank Schäfer <schaefer.frank@xxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
InfoProvider|schaefer.frank@xxxxxxx |

--- Comment #3 from Frank Schäfer <schaefer.frank@xxxxxxx> 2012-03-14 18:13:22
UTC ---
Interesting. But this bug report is not only about the JAVA-repo, it's just on
example.

As far as I understand, the idea of signing repositories is to increase
security.
But when the PGP-keys are changing often, the only result is confused/annoyed
users (take a look at the warning message that appears !).
Most users don't know how to check the new keys and of course they don't know
why the key changed. Guess what people are doing...
This will in fact decrease security, because people stop taking the messages
serious. Which leads to the following question: is openSUSE/Novell taking the
key changes serious ? Shouldn't someone from openSUSE/Novell should check
what's going in the repos... Are you sure that all the key changes were just
accidents ? ;-)

So please, minimize PGP-key changes. If a key changes, there should be a simple
method to verify the new key.
If that's not possible, I suggest to abbolish PGP-signing.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
< Previous Next >
References