https://bugzilla.novell.com/show_bug.cgi?id=367666 User adrian@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c2 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|adrian@novell.com | --- Comment #2 from Adrian Schröter <adrian@novell.com> 2008-03-07 00:18:24 MST --- osc can get the keys either via the repos (located in repodata/repomd.xml.key) or via api calls. One aspect is that installing packages also to a build root hosted within chroot (not XEN) is almost as insecure as installing it into the system (regarding attacks by intention, not bugs happen by accident). So in any case, osc should point the user to this and ask if he anyway want to start the build by trusting these further repos, which are obviously not yet accepted in his system rpm database. Afterwards, osc could either import the keys into the system wide rpm database or finding some way to tell rpm running in the build script to use an additional key (or keyring). A complete different (alternative) option would be to support XEN, qemu or any other virtualisation builds better on packager workstations. qemu should be easily doable in the build script (maybe I do this these days), it would slow down the build, but makes it hopefully secure in a way that the trust aspect becomes less important. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.