Mailinglist Archive: opensuse (1125 mails)

< Previous Next >
Re: [opensuse] Repo key validation [Was: Missing packages in opensuse-12.1]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-05-13 10:59, Josef Wolf wrote:
On Fri, May 11, 2012 at 01:02:43PM +0200, Carlos E. R. wrote:


Which is usually supplied to me by mirrors. Then chain of security
can be intercepted even if downloaded from suse because the server
is not https.

The same holds true for _every_ security patch you install. You surely
install security patches, don't you?

Yes, but those patches are signed, and security is maintained.

The problem arises when the update repo changes key, there is no secure
channel to update the key.


BTW: shouldn't the packages be signed to keep mirrors from
manipulating them? I hope those keys are not just for fun?

They are. The hole is in the transmission of the keys themselves.

- --
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+vwAgACgkQIvFNjefEBxoBqwCgsv+JRkLV7dLkr0meeePtFuvt
1+IAnAgNO++M7d9Jvq2ysSiqemWiekfc
=7jj+
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups