Mailinglist Archive: opensuse-security (50 mails)
| < Previous | Next > |
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
- From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
- Date: Sun, 20 Jul 2008 12:28:38 +0200 (CEST)
- Message-id: <alpine.LSU.1.00.0807201221150.12808@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse.
Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIgxNZtTMYHG2NR9URAubDAJ9PLUCUwJQXq3Hm9HwGPkLDEm9WawCeO52F
fLt0GRWYJYDVgolmWKOU6zs=
=a1Y+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
Hash: SHA1
The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
That said: There's nothing wrong with using a keyserver - however I
don't think that the signatures will be useful for YaST (except of the
build service root key).
Especially, I don't want to have all signing keys imported to my rpm
keyring (needed to verify the signatures) because this would also mean
that packages signed with these keys will be accepted...
I think a two-way solution would be the best:
- YaST downloads the keys from download.opensuse.org (or packman or
whatever repository you use)
- if someone wants to check a key more detailed, he can download him
from a keyserver, including all signatures and compare the fingerprint
with the fingerprint displayed by YaST.
The only disadvantage is that this method causes some manual work
(download the key from a keyserver and compare the fingerprint with the
one YaST displays). But security always has a price ;-)
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse.
Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIgxNZtTMYHG2NR9URAubDAJ9PLUCUwJQXq3Hm9HwGPkLDEm9WawCeO52F
fLt0GRWYJYDVgolmWKOU6zs=
=a1Y+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
| < Previous | Next > |