Mailinglist Archive: opensuse-buildservice (169 mails)

< Previous Next >
[opensuse-buildservice] Re: [opensuse-security] Verifying authenticity of Community Repositories
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Thu, 27 Dec 2007 10:04:20 +0100
  • Message-id: <20071227090420.GA24986@xxxxxxx>
On Thu, Dec 27, 2007 at 01:05:58AM +0100, nordi wrote:
Hi!

Today I wanted to add some community repositories as installation
sources, more specifically stuff from the OpenSuse Build Service. Yast
complained about an untrusted key, since the public key of the build
service is not included in the distribution (not to be confused with the
build key, which is included).

Of course I could just press the "OK" button, or download the key from
[1], import it and never be bothered again. But that key has no
signatures and is transmitted via http, so I still do not know if I have
the right key. Is there any way of securely retrieving the authentic
public key of the build service without traveling to Nuremberg? How is
the average user supposed to do that?

Actually we should perhaps just sign it with a known key.

Also, we will switch to per-project GPG keys in the future.

Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages