Hello, Am Freitag, 18. Juli 2008 schrieb Jonathon M. Robison:
What about using wwwkeys.pgp.net? We'd get all the benefits - key signing, etc.
Quoting http://wiki.linuxtag.org/w/Keysigning The only keyservers you should use are either subkeys.pgp.net or random.sks.keyserver.penguin.de, if you insist. Any of the keyservers in these clusters are fine. Please do not use other keyservers, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways including, but not limited to: dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or they don't sync with the rest of the network. That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted... I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST. The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-) Regards, Christian Boltz --
[...] if the installation of a stupid package failed, [...] AFAIK there is no package named `stupid'. [> Raphael Schillings and Michael Gross in https://bugzilla.novell.com/show_bug.cgi?id=147588]
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org