Michal Vyskocil wrote:
To me it seems that the biggest issue in current implementation is how we can ensure the .keyring validity if package can put and submit what he wants to.
So what about to create some dedicated (open)SUSE GPG key and put all verified GPG ids into it's web of trust? Then all we need is to verify if package is signed by this key and if so, then it's a trusted keyring.
Well, suppose we have an "openSUSE signing key" and all signing keys of packages have to be in the web of trust. Would it be a real security benefit? If somebody writes to openSUSE signing key maintainer: Please sign 2753E77A, I need it for smartmontools. Signing key maintainer would have to ultimately trust the package maintainer. Would the key maintainer sign 2753E77A directly? But the key maintainer has only second-hand information about 2753E77A. Or would the key maintainer sign the openSUSE developer's key and openSUSE developer will sign the upstream signing key? But then we would trust more than we want. Or would we require both? Only trusted developers would be able to ask for adding key to web of trust? Well, even worse. What if author of the-tiny-game-0.1.tar.gz.asc would try to submit httpd-2.4.3.tar.bz2.asc signed by his key. Signature check will pass! -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org