Quoting Stanislav Brabec <sbrabec@suse.cz>:
Without verifying this against an upstream published key, it's still void information... so I do expect the first-time effort to get this in rather big.
What if attacker uploads a false key to the key server?
Well, as we don't have anything 'yet', it's the best we can do
I guess we should trust keyring residing in Factory for years, which was used for verifying all released versions over 5 years, and not blindly trust a new key from the key server, especially if it is not in my web of trust.
This is not valid just now: there is no .keyring ring in Factory for years... An update of a .keyring file be legit later on, but the 'validity' is not easy to establish, without direct contact with upstream. So another task to be performed by the reviewers (initially, this should also happen for each new .keyring file!)
But yes, you can verify, that the user did not revoke it: ~/OSC/home:sbrabec:gpg-offline-verify/vsftpd> LANG=C gpg-offline --review --keyring vsftpd.keyring
This is, imho, a mandatory check for a new tarball to be checked in: if the key is revoked, a new tarball is very likely to come from a compromised source if it validates against said .keyring. Hence, it must be blocked at checkin. I agree though, tarballs signed before the revoking act must remain building.
vsftpd.keyring is a valid armored GPG keyring and the human readable description corresponds to its contents.
This part is good... but it does not guarantee to be the actual 'upstream' key... The difficulty is, of course, only at the beginning, to get this bootstrapped.. once the .keyring is in, any change to it has to be considered 'questionable'. Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org