[opensuse-buildservice] identifying packagers
Hi, is there some way to tell apart BS users from SuSE/Novell and "external" ones or add some "verified" tag to some package? Why am I asking: users of packages from BS might put less trust into packages which are not "official enough" i.e. those, that aren't even packaged by someone from SuSE. Thanks Petr --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday 03 August 2007 14:53:37 wrote Petr Cerny:
Hi,
is there some way to tell apart BS users from SuSE/Novell and "external" ones or add some "verified" tag to some package?
Why am I asking: users of packages from BS might put less trust into packages which are not "official enough" i.e. those, that aren't even packaged by someone from SuSE.
We have a trust interface on our todo since quite a while, but we had no time to work on that yet. You are right, we need something, where a user can decide if he can trust it or not, based on some defined criterias. I would be very happy, if someone wants to make a proposal document, or maybe even want to work on that. We would be happy to help such a person to solve problems and to move forward. Independend of this, I have on my todo to improve the situation of project signing, so that the package manager can validates individual projects. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Adrian, Adrian Schröter schrieb:
On Friday 03 August 2007 14:53:37 wrote Petr Cerny:
Hi,
is there some way to tell apart BS users from SuSE/Novell and "external" ones or add some "verified" tag to some package?
Why am I asking: users of packages from BS might put less trust into packages which are not "official enough" i.e. those, that aren't even packaged by someone from SuSE.
We have a trust interface on our todo since quite a while, but we had no time to work on that yet.
You are right, we need something, where a user can decide if he can trust it or not, based on some defined criterias.
Regarding this, I would like to see something like in Debian. A web of trust of developers is very good. A user can trust someone, who is known by other developers of the global project. This means, source uploads or better the binaries should be signed by the uploader, independend of the project in BS.
I would be very happy, if someone wants to make a proposal document, or maybe even want to work on that. We would be happy to help such a person to solve problems and to move forward.
Independend of this, I have on my todo to improve the situation of project signing, so that the package manager can validates individual projects.
Seeing BS as (todays) main package repository, all projects (including their packages) which are distributed from BS (or being pushed from BS towards the mirrors) should be signed by the maintainer of the BS system. Therefore the customer, hmm..sorry, the user can trust the BS or the mirror, that the binaries are coming from the original BS, and he can trust the packager (it doesn't matter if it's an official opensuse / suse / novell project, or just a one man project), when he checks the web of trust behind the packager. Just an idea, Good night :) \sh --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday 03 August 2007 21:41:58 wrote Stephan Hermann:
Hi Adrian,
Adrian Schröter schrieb:
On Friday 03 August 2007 14:53:37 wrote Petr Cerny:
Hi,
is there some way to tell apart BS users from SuSE/Novell and "external" ones or add some "verified" tag to some package?
Why am I asking: users of packages from BS might put less trust into packages which are not "official enough" i.e. those, that aren't even packaged by someone from SuSE.
We have a trust interface on our todo since quite a while, but we had no time to work on that yet.
You are right, we need something, where a user can decide if he can trust it or not, based on some defined criterias.
Regarding this, I would like to see something like in Debian. A web of trust of developers is very good. A user can trust someone, who is known by other developers of the global project.
yes, this is in our intention. Maybe with additionaly mechanisms, like signing some kind of contract and/or assure to provide security updates in time what would influence the trust level ....
This means, source uploads or better the binaries should be signed by the uploader, independend of the project in BS.
Signing from a person makes only sense if this person is working alone. Since most of the more important packages have multiple packagers, it may makes sense to sign with a project key. This assures that it comes from the project and tools can check how much they can trust it based on the peoples who have write access there.
I would be very happy, if someone wants to make a proposal document, or maybe even want to work on that. We would be happy to help such a person to solve problems and to move forward.
Independend of this, I have on my todo to improve the situation of project signing, so that the package manager can validates individual projects.
Seeing BS as (todays) main package repository, all projects (including their packages) which are distributed from BS (or being pushed from BS towards the mirrors) should be signed by the maintainer of the BS system.
well, we have already a general key signing all packages. But that only says that these packages come from the system, nothing more.
Therefore the customer, hmm..sorry, the user can trust the BS or the mirror, that the binaries are coming from the original BS, and he can trust the packager (it doesn't matter if it's an official opensuse / suse / novell project, or just a one man project), when he checks the web of trust behind the packager.
No need to trust the mirrors, you can check already via the OBS key ;) sleep well adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Adrian Schröter -
Petr Cerny -
Stephan Hermann