Mailinglist Archive: opensuse-buildservice (314 mails)

< Previous Next >
Re: [opensuse-buildservice] osc build & sign keys
  • From: "Dominique Leuenberger" <Dominique.Leuenberger@xxxxxxxxxxxxx>
  • Date: Fri, 25 Jan 2008 13:17:57 +0100
  • Message-id: <4799EF95.2554.0029.1@xxxxxxxxxxxxx>
On 25-01-2008 at 13:49, Adrian Schröter <adrian@xxxxxxx> wrote:
actually, I am not that sure that this should be changed.

How should an external see that this package was not build by this
certain
project/person ?

Well, there we anyhow come to a critical point: a Project get's a new
person for one package. There is close to no background check performed
on such a person, access is granted withing few minutes after asking on
the ML (I know it... I was actually surprised myself how easy I got
access to repos like {GNOME|KDE}:Community.

Sure, the packagers are the one we need to grow, but how can an end
user now 'trust' such a constellation of packages?

With aggregates, the problem is that several packages within one repo
are signed with a key different from the one specified in the repo. Does
the end user to be aware of this? Or could he just trust the project
owner that he aggregated packages which he trust? (indirect trust
relationship).

Dominique
--

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >