https://bugzilla.novell.com/show_bug.cgi?id=461957 Summary: Please make available the PGP key IDs on a non wiki web page Product: openSUSE 11.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: robin.listas@telefonica.net QAContact: qa@suse.de CC: pth@novell.com Found By: --- The PGP keys used for signing packages available for opensuse, including those of Novell and of the buildservice should be available on a web page, and that one be a non wiki page. At least the IDs and the fingerprint of the keys. And this web page should be referred to by zypper. Why? Because we can download the keys (for instance, the "openSUSE Project Signing Key") from a public pgp key server, but we do not know if that key we download is the real one or a fake: we must have a web of trust. We must have a method to verify and sign keys, knowing that we do have the real, good, keys. And of course, keys must be signed by a master key, forming a web of trust. The current method of having zypper automatically download keys and accept them permanently, without a known method of verifying if that is the key of that repo, offers no real security - IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.