Mailinglist Archive: opensuse-project (205 mails)
| < Previous | Next > |
Re: [opensuse-project] Signing repos
- From: Bruno Friedmann <bruno@xxxxxxxxxxx>
- Date: Tue, 29 Nov 2011 08:21:44 +0100
- Message-id: <4ED48808.1050904@ioda-net.ch>
On 11/28/2011 10:56 AM, Ludwig Nussel wrote:
Ludwig, we have just one point to fix. Once a key has been trusted and
installed, when it expires there's no warnings
nor other way (as I know) than delete it, and push a new one if exists.
--
Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
openSUSE Member & Ambassador
GPG KEY : D5C9B751C4653227
irc: tigerfoot
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx
Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos
associated with openSUSE are signed by a main openSUSE key after (in some
fashion) the requester's identity is verified. We can then (individually)
decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos
are automatically in rpm's key ring of every installation.
All packages in a repo as well as the repo itself are signed with the
same key. The package signature is added automatically by the build
system and testifies that a certain package was built in a certain
project. The signing key cannot be set by the packager. IOW there is no
point in establishing a web of trust with keys that identify people.
cu
Ludwig
Ludwig, we have just one point to fix. Once a key has been trusted and
installed, when it expires there's no warnings
nor other way (as I know) than delete it, and push a new one if exists.
--
Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
openSUSE Member & Ambassador
GPG KEY : D5C9B751C4653227
irc: tigerfoot
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx
| < Previous | Next > |