On Tue, Jan 08, 2013 at 04:43:02PM +0100, Stanislav Brabec wrote:
Michal Vyskocil wrote:
To me it seems that the biggest issue in current implementation is how we can ensure the .keyring validity if package can put and submit what he wants to.
So what about to create some dedicated (open)SUSE GPG key and put all verified GPG ids into it's web of trust? Then all we need is to verify if package is signed by this key and if so, then it's a trusted keyring.
Well, suppose we have an "openSUSE signing key" and all signing keys of packages have to be in the web of trust.
Would it be a real security benefit?
If somebody writes to openSUSE signing key maintainer: Please sign 2753E77A, I need it for smartmontools. Signing key maintainer would have to ultimately trust the package maintainer.
Would the key maintainer sign 2753E77A directly? But the key maintainer has only second-hand information about 2753E77A.
Or would the key maintainer sign the openSUSE developer's key and openSUSE developer will sign the upstream signing key? But then we would trust more than we want.
Or would we require both? Only trusted developers would be able to ask for adding key to web of trust?
Well, even worse. What if author of the-tiny-game-0.1.tar.gz.asc would try to submit httpd-2.4.3.tar.bz2.asc signed by his key. Signature check will pass!
Well, noone said that in web of trust model won't check the .keyring changes. But it was just an idea, I would say that a current incarnation is secure and flexible enough. Regards Michal Vyskocil