Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
Re: [opensuse] Re: gpg-pubkeys missing 'Distribution'
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Mon, 8 Jun 2009 00:15:47 +0200
  • Message-id: <20090607221547.GB6806@xxxxxxx>
On Sun, Jun 07, 2009 at 03:05:23PM -0700, Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key
(build@xxxxxxx) and the security key (security@xxxxxxx)

They are used for all distributions, until they expire, at which
time they get an update. The current one will expire in May 2010,
if I read correctly

The other keys you have could be various other repository keys.
Each build service repository has its own key
----
So any mirror would have it's own key?

No.

Buildservice projects have their own keys. Mirrors just mirror
our stuff and never have own keys.

and build@xxxxxxx keys? If they are from mirror sites, would it be
a major problem if the summary or build-host indicated the host it
came from (FQDN, not localhost)"?

Having keys is excellent, but if I have duplicates and don't know
one from another or where they came from, I can't really know what
packages were signed against what key (all I likely would know is that
they installed with a one of the above keys, but that doesnt' tell me
if one of those 'build' keys was from: "susemirror.IwasHacked.org"...
or where...?

Isn't it possible if a mirror site were hacked, someone could also
install their own hacked 'gpg' key, with the same summary?
Theoretically, that is...not that it is likely to happen...

No. Yast would ask for confirmation.

There was a bug in 10.2 or 10.3 which imported keys multiple times,
which would explain the multiple imports.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >