-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-29 16:36, Claudio Freire wrote:
On Tue, May 29, 2012 at 10:06 AM, Carlos E. R.
wrote: I *hope* the security never depends on the server but on cryptographically signing the files - and verifying the validity of the signature before using them.
Verifying the signatures is not possible, they are not listed on a secure server.
What is a secure server?
https
Even the DVD could be rewritten by a rogue mirror with false signatures. A lot of work, but doable.
Assuming (and it's no small assumption) that you trust the signing key, that is not possible. How do you get to trust a signing key? Well... you have a leap of faith the first time you configure a repo. How do you avoid that leap of faith? With an official page that lists official repo's key checksums that uses https signed by a trustworthy CA. And the user has to check. If he/she doesn't... leap of faith it is still.
That is my point. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E3+YACgkQIvFNjefEBxoRMwCgnsK9tZgpm+Sncm8fqwUQa38C HNcAn1AwIH4PpiNysC/lb5u/p2H8Ac02 =LcBz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org