[opensuse-announce] Build Service Repositories Get New GPG Keys
You wonder why zypper or YaST do ask you to accept new keys for some repositories atm ? Please read this mail in this case. The repositories on opensuse.org below the http://download.opensuse.org/repositories/ directory get currently new GPG keys which are use to sign the repository meta data and the packages. The reason behind this is to increase the security for you and your system. Repositories inside of this directory are created by the openSUSE build service packagers. Everybody can go to http://build.opensuse.org and get at least an own home:<login> project where you can build and publish packages. But also all other projects have different owners, this means people who have write permissions there. As a consequence of this openess of the build service, users should have the possibility to decide whom to trust and whom not. This is easy possible by adding or not adding/removing repositories. However, rpm and package managers do use gpg keys to support users in this approach. These tools use them to verify that a certain repository and each package does indeed come from a certain person or group. In the past, all build service repositories were signed with the same key. This means that a user was able to allow or disallow repositories, but the the tools did not help or even checked this. This approach was therefore not save against attacks. We use from now on own keys per top-level project. Users can decide to accept certain keys or not. Packagers will get an API interface to manage these keys in near future to some degree. These keys are auto generated by the build service and report to come from KDE OBS Project <KDE@build.opensuse.org> or home:adrianSuSE OBS Project <home:adrianSuSE@build.opensuse.org> for example. In case you are not sure, if you can trust a certain project, you should log into the build service via http://build.opensuse.org and look at the list of persons who are part of this project. (Yes, a system which makes this more transparent for the End User is in our plan). I hope this helps adrian PS: There was a bug, which caused failures when using rpm checking a signature. This will be solved by rebuilding these packages. YaST and zypper are using gpg and had never this problem. -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-announce+help@opensuse.org
participants (1)
-
Adrian Schröter