On Monday, November 28, 2011 03:56:23 AM Ludwig Nussel wrote:
The package signature is added automatically by the
system and testifies that a certain package was built in a certain
This is good, but still, how one can check is key originated from OBS or some
How to verify that key change, that happens from time to time, is regular
replacement for expired key and not malicious activity, or sign that someone
already used fake key, and now real one comes as "replacement"?
The signing key cannot be set by the packager. IOW
there is no
point in establishing a web of trust with keys that identify people.
While in current process there is no point of creating web of trust, the fact
is that my trust in repository depends, among other things, on listed
maintainers and their previous activity.
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org