-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-28 03:00, Nelson Marques wrote:
2012/5/28 Carlos E. R. <>:
Hacked. >:-)
No, openSUSE got hacked and leaked their keys... can you sign RPMS with just the public key ? :) If you do.... then thats quite a feature.
Not openSUSE, you. Think carefully how it works, we are using an incomplete crypto-signature system and it has holes, because we are not following the procedure. The intermediary mirror creates a new signing pair, public and private. The data is opened, and signed again with that new key, and you are offered to accept it, because you can not verify it and know it is a bad one. Look, I can send you a post cryptographically signed as you. I may even upload it to the key servers. People will download it and say: "Hey! this is signed by Nelson, it is his post." You know it is not, I know it is not, but not the rest of the world. How is that possible? Because we neglected the web of trust. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/C0F4ACgkQIvFNjefEBxqzOwCfYuq0ymEqvDHscL52sjkqbPSI wQAAniToitHfk8LTFGim9+BzXO1zwkTs =zA3W -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org