On 17/02/10 07:34, Adrian Schröter wrote:
Am Mittwoch, 17. Februar 2010 00:20:21 schrieb Tejas Guruswamy:
Sorry to continue this discussion on -kde, but regardless of whether one knew about the key change there is a question about how to verify the new key is the correct new key. Maybe there should be a key list somewhere all signed by some SuSE master key?
How would this help you ?
If you were suspicious that someone had taken advantage of the key-change to attack, you would want to know what was the "correct" new key from some other trusted source.
There was never any message containing the new key AFAIK. The public keys can be requested via "osc signkey" and they are part of the repos. They are signed by the OBS default key, but that gives you not much information.
This is the step I was missing, assuming the osc api is secure enough, and you trust the maintainers of the repository and the OBS default key, this is probably enough verification. Regards, Tejas -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org