Michal Vyskocil wrote:
On Tue, Jan 08, 2013 at 04:43:02PM +0100, Stanislav Brabec wrote:
Well, even worse. What if author of the-tiny-game-0.1.tar.gz.asc would try to submit httpd-2.4.3.tar.bz2.asc signed by his key. Signature check will pass!
Well, noone said that in web of trust model won't check the .keyring changes. But it was just an idea, I would say that a current incarnation is secure and flexible enough.
Well, it could make sense. Just a question. What is better: - adding keys in that keyring to web of trust - signing the keyring file during submitting to Factory -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org