The SUSE software web site mentioned in reply to the post was: http://software.opensuse.org/ This site does not have the SUSE Public Key number listed or as a link. Why not add the SUSE Public Key number and the MD5 and SHA1? It does allow you to select various download options, and will download SUSE software for OpenSUSE. The http://download.opensuse.org/distribution/10.3/iso/dvd/MD5SUMS does have the MD5SUMS file for the stable 10.3, however, there is no SUSE Public Key and the MD5SUMS is not signed. I can NOT verify it is an authentic SUSE MD5SUMS file. Why not put the SUSE Public Key on the SUSE web site http://software.opensuse.org, as well as the MD5, SHA1, and sig files. To quote from the security announcement: "To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team " where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command: gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc " --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org