Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added.
The key is imported from the repo itself (repomd.xml.key). You are right that there currently is no satisfactory way to initially verify the key. A special view on build.opensuse.org could fix that but is not there yet. :-(
Perhaps Yast, or zypper, should include a key management module.
We openened a feature request for that some time ago already but it's not implemented yet. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org