Hi openSUSE people, I'm not an openSUSE member (I don't do software development any more) but would like to get fixed a serious security flaw: there is no way to check the validity of a repository / build signing key. [You are welcome to correct me if I'm wrong - I'd love to know how to check this] I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not. There would have to be a clear statement of both the identity verification process and also the full extent of the assurance this signature gives. I would suggest there should also be some kind of quality threshold (e.g. bug fix statistics) as well as a method to revoke the key / signature. Or, does one of the openSUSE security experts have a better simple suggestion? What would I need to do to effect this change? Any advice or comment is very welcome, Yours David Hodgson -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org