Mailinglist Archive: opensuse-buildservice (287 mails)

< Previous Next >
Re: [opensuse-buildservice] RFC: OBS repository security enhancements
  • From: Dirk Stoecker <opensuse@xxxxxxxxxxxx>
  • Date: Wed, 5 Sep 2007 18:13:07 +0200 (CEST)
  • Message-id: <alpine.LNX.0.9999.0709051806020.17693@xxxxxxxxxxxxxxxxx>
On Wed, 5 Sep 2007, Adrian Schröter wrote:

* People who currently use repositories from OBS will need to import the new
  gpg key(s). Otherwise the package managers will report errors.

Is signing with two keys possible? If so use a new buildservice key and still sign all packages with the old one (at least for older distributions).
Add multi-key handling for openSUSE 10.3 and start using it there.

* Allow upload of privates to be used to sign repos ?
  These keys *must not* get signed by the global OBS key, since they can be
  used elsewhere.

Don't think this is useful. I would not upload any of my private keys. But I would like to sign my repository-key with my private key. The buildservice should then provide the signed public keys.

* Does it make sense allow to reuse one key for multiple projects ?
  Does anyone want to have this at all ?

- If multiple signatures are possible, this would be useful.
- Also it would be required to have only one key for subprojects
  (e.g. Education:xxx)

Ciao
--
http://www.dstoecker.eu/ ;(PGP key available)
< Previous Next >
References