https://bugzilla.novell.com/show_bug.cgi?id=868440 https://bugzilla.novell.com/show_bug.cgi?id=868440#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2014-03-14 19:36:02 UTC --- we verify the YUM repository consistency. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=868440 https://bugzilla.novell.com/show_bug.cgi?id=868440#c Xiyuan Liu <xyliu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |zypp-maintainers@forge.prov |ovo.novell.com |o.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=868440 https://bugzilla.novell.com/show_bug.cgi?id=868440#c4 --- Comment #4 from Jon Nelson <jnelson-suse@jamponi.net> 2014-03-17 15:21:59 UTC --- Trusting the repo alone is not sufficient. A compromise of the repo signature mechanism, due to bug or design, allows the installation of any number of unsigned or wrongly-signed rpms. Think of the repo as an envelope and the rpms as a (signed!) document. Inspecting the integrity of the envelope is not a sufficient guarantee that the document has not also been altered. Security is about layers, and relying on only one layer here is a problem. I would like to include the security team in this discussion. How is that done? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.