On Monday, November 28, 2011 03:56:23 AM Ludwig Nussel wrote:
The package signature is added automatically by the build system and testifies that a certain package was built in a certain project.
This is good, but still, how one can check is key originated from OBS or some malicious site. How to verify that key change, that happens from time to time, is regular replacement for expired key and not malicious activity, or sign that someone already used fake key, and now real one comes as "replacement"?
The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
While in current process there is no point of creating web of trust, the fact is that my trust in repository depends, among other things, on listed maintainers and their previous activity. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org