On Mittwoch, 30. Juni 2021, 19:00:00 CEST Andrii Nikitin wrote:
Hi Robert,
(I am not a big OBS expert, (and especially DoD part of OBS, which I heard first time today), so I hope somebody will provide more strict answer).
I think your concern is valid, and it is something which may be improved inside OBS, because e.g. zypper and other utilities are fine to be redirected to mirrors without compromising security.
But, if you need assistance with the error itself - a solution may be to use particular mirror in your country (instead of download.opensuse.org), or https://downloadcontent.opensuse.org (that will not redirect to mirrors).
zypper and friends are validating repositories and packages using GPG.
The GPG key is only owned by the provider of a package. While SSL certificates
are created by third party authorities. Also in case of a redirect each mirror
would have control over the content which can not verified.
Therefore it is recommended to pin the SSL ceritifcate to the single owner
you trust for your repository meta data. (the packages can come from a mirror
and can get verified via the meta data).
--
Adrian Schroeter