nordi wrote:
Marcus Meissner wrote:
Also, we will switch to per-project GPG keys in the future. Will this create some extra security? I see the digital signature as proof that the package was really produced by the build service and was not manipulated by a man in the middle.
But the fact that the package was produced by the BS doesn't tell you much. There's no pre-checking review by the buildservice team, the buildservice builds whatever the packagers upload, so you don't need a man in the middle to add 'rm -rf /' to a package scriptlet in your home project ;). Per-project keys will allow you to select projects (to which only a group of packagers has access) you want trust, instead of "trust everything that comes from the build service". Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org