Mailinglist Archive: opensuse (3349 mails)

< Previous Next >
Re: [SLE] Apt and unknown signatures
  • From: Anders Johansson <andjoh@xxxxxxxxxx>
  • Date: Tue, 17 May 2005 20:38:16 +0200
  • Message-id: <200505172038.17191.andjoh@xxxxxxxxxx>
On Tuesday 17 May 2005 20:22, Sunny wrote:
> Which says that my kaffeine was packaged by packman, and if I need, I
> have to look for his rpmkey.

packman isn't one person, it is a web site where several people (and therefore
several gpg keys) contribute. You'd need to import them all.

Also note that blindly importing keys you don't know anything about is no
better than just ignoring the key completely. Trust is everything.

Not saying you can't trust the keys in apt, I'm just saying you need to think
about what you're doing. Do you know who the person is? Can he/she be traced
if there's a major problem with the packages? Blind trust is stupid trust

This isn't a problem now (perhaps. There are many 'regular users' contributing
to the package repos that I know nothing at all about), but it will be in
future as linux grows in popularity.

Even now it would be a piece of cake to spread malicious code, simply create a
package, subscribe to this list using some anonymous address and start
promoting the package. So far I have seen very few people that appear like
they would think twice about installing it.

Please don't let Linux go down the same security quagmire that other OSes has.
Please think.

And to the admins of these repos: please consider establishing a web of trust
where everything is transparent, so end users can see what's going on and who
is involved

< Previous Next >
Follow Ups