On Sun, Jul 20, 2008 at 12:28:38PM +0200, Carlos E. R. wrote:
The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted...
I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST.
The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-)
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse.
Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.
We are trying to do such a module/dialog, but so far we have not had good ideas on how to do it. Some kind of draft work would be welcome. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org