On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek
No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.
dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct? from inside thise malicious 15.3 is there a mathematically sound way to re-evaluate all the currently installed packages and (re-)verify them with the (hopefully?) installed keys that it complained about during the dup? how would I verify all the installed bits and pieces and rpm files from inside 15.3 rc? also in that bug I read about libzypp or something still needing to implement this upgrade scenario and missing keys and stuff. will this be available during GA release of 15.3 finaly situation? or what other workaround steps are mandatory at the moment such as: manually fetching gpg keys from somewhere, importing them, and only zypper dup after those additional steps? shouldnt this be put up into https://en.opensuse.org/SDB:System_upgrade pretty much immediately notifying people about this serious security issue when coming from a safe and secure 15.2 and dup-ing to 15.3 rc? am I the only one worried by the current situation? is this perfectly normal for all the involved suse staff, developers, maintainers, admins etc? ty.