Mailinglist Archive: opensuse-project (317 mails)

[Basil Chupin <blchupin@xxxxxxxxxxxx>]

On 30/11/11 07:48, Administrator wrote:
> > > I would suggest that, as a minimum, signing / build keys for main repos
> > > associated with openSUSE are signed by a main openSUSE key after (in
> > some
> > > fashion) the requester's identity is verified.  We can then
> > (individually)
> > > decide to trust that signing process (and hence the signatures) or not.
> > I'm not sure I understand what you mean. The keys for the official repos
> > are automatically in rpm's key ring of every installation.
> > All packages in a repo as well as the repo itself are signed with the
> > same key. The package signature is added automatically by the build
> > system and testifies that a certain package was built in a certain
> > project. The signing key cannot be set by the packager. IOW there is no
> > point in establishing a web of trust with keys that identify people.
> I may be using the wrong terminology, but I get repeated warnings when
> updating the system that "The file repomd.xml ... is digitally signed with
> the following unknown GnuPG key ..." and then asked if I want to use it
> anyway.  There is no way to check if the key referred to is valid.
>
> It seems to happen a lot on the Java repository ...

It is happening on the Java repo almost everytime I do a zypper refresh. 
Happened several minutes ago. It is getting beyond being annoying. Makes 
one wonder if the maintainer knows what s/he is doing or whether the the 
repo is compromised.

BC

--
What religion were Adam and Eve?

--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx