https://bugzilla.novell.com/show_bug.cgi?id=868440 https://bugzilla.novell.com/show_bug.cgi?id=868440#c4 --- Comment #4 from Jon Nelson <jnelson-suse@jamponi.net> 2014-03-17 15:21:59 UTC --- Trusting the repo alone is not sufficient. A compromise of the repo signature mechanism, due to bug or design, allows the installation of any number of unsigned or wrongly-signed rpms. Think of the repo as an envelope and the rpms as a (signed!) document. Inspecting the integrity of the envelope is not a sufficient guarantee that the document has not also been altered. Security is about layers, and relying on only one layer here is a problem. I would like to include the security team in this discussion. How is that done? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.