On Freitag, 14. März 2014, 15:41:34 wrote Jason:
On Friday, March 14, 2014 08:17:23 Marcus Meissner wrote: ...
The trust concept we currently use does not to include the RPM embedded GPG signatures itself, although they are signed by the same key as repomd.xml usually.
Ciao, Marcus
This actually leaves to possibility of server-side compromise? If attacker signs with his key, or no key, package will be installed?
not with zypp at least, since you need to re-generate and re-sign the rpm-md meta data (or susetag style metadata for product repos). -- Adrian Schroeter email: adrian@suse.de SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org