On 30/11/11 07:48, Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not. I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people. I may be using the wrong terminology, but I get repeated warnings when updating the system that "The file repomd.xml ... is digitally signed with the following unknown GnuPG key ..." and then asked if I want to use it anyway. There is no way to check if the key referred to is valid.
It seems to happen a lot on the Java repository ...
It is happening on the Java repo almost everytime I do a zypper refresh. Happened several minutes ago. It is getting beyond being annoying. Makes one wonder if the maintainer knows what s/he is doing or whether the the repo is compromised. BC -- What religion were Adam and Eve? -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org