-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2011-11-28 10:56, Ludwig Nussel wrote:
Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
Often when we add a repo we are asked whether we trust the new PGP key of the repo, and we have no way to know if that new key is good or not before importing it. There is not a web of trust, no verification method. Even worse, a key expires sometimes and the owners are not aware. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8BEOoACgkQja8UbcUWM1xpPgD+J19FixXOIKcMfgkdMoxtv61G eKHBswPV5k4lNfxmB5cA/0csiM2qC35MaUbFXhTq0I7Dx+hTNKpWyPQeEuFad9Sy =l3NU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org