As ftp is a weird protocol anyway, I don't think it should be used so much, especially for important things like updates.
They should use scp :-)
Oh please. rpm's package signing is there to check the integrity of packages which have come from unknown sources (read ftp servers) and to protect against intentional corruption. Using scp would be an other waste of time, as yast should pop up a big box in bright red reading "integrity of this package can't be checked / fails to verify and it may be corrupted and contain a trojan/virus/othernasty - would you like me to permanently remove this package - default answer yes" if necessary. Note I'm talking about rpm signatures, not its md5 sum, which ony protects against accidental corruption on download. apt-get AFAIU does not check package signatures, nor are most debian packages signed anyway. Considering the ten zillion packagers sining in a way which makes somes sense is somewhat difficult, and may not yet be operational. I agree with Roman - use apt-get if you feel so inclined, I won't. Why not use microdaft straight away - it's all very easy too, and security is an afterthought at best. I find downloading a recursive ftp server dir listing tells me what's new (there are time stamps on files). wget and rpm -Kv immediately after download work well, so does rpm -UvhF on all machines I have. If it's urgent copy/paste from the advisory into wget does work too. I don't see a big problem, although yes it could be automated more to make it an absolut no-brainer. No doubt YOU will get there.
I have submitted several bug reports to feedback@suse.com and bugs@suse.de
It's feedback@suse.de as listed in every rpm info and stated on mailing lists many times. These reports are acted on, SuSE did say that many times too, and I know from experience that that is correct. Also, as it's security-relevant you ought to be using security@suse.de at least some days before contacting bugtraq.
and not heard back from them. I have a serious mind to submit this to BugTraq in the hope of forcing SuSE to do something about it. I've never done anything like that before - do you think I should?
I consider it to be a serious issue if true, but unless you correctly notify SuSE you can't claim "vendor notified" status on bugtraq, which does not look good on you. Volker -- Volker Kuhlmann Please do not CC list postings to me.