On Wed, Jun 15, 2022 at 7:12 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
Define "verify".
well that zypper text output advises to grab the pgp/gpg key by some other means at other places preferably on the original dwelling place homepage and the like of the author creator or developer. thats what i mean. i always wondered how the average user or even developer or jost anyone out there regards and works with signatures and pgp keys and so forth. trust on first use? trust just everything that comes along? i kind of remember pgp parties or cross signing events and stuff. anyhow here for example i would think something like a maybe layered multi level trust concept, buildservice output and projects using that would maybe sign the projects or authors key to make ot obvious that it is in some means running and technically generated software and binary bits on suse infrastructure. giving some loose endorsement or connection with the help of what the normal opensuse distro user is somewhat calm and at ease to use creations that are somewhat tied to opensuse and its infrastructure, even if its just as little as community packages. i start with fresh leap iso. the i add some repo from build opensuse places or many other repos that are available via download.opensuse.org. i kind of lack the clean connection to the main leap project, that the leap public key for example would be signing these subprojects or that a master suse (corporate? organisartion or foundation?) key would sign all the sub users and developers that are adding code and binary to the suse eco system. that would establish some kind of connection and trust. If i am not completely mistaken this could be done by the chain of trust with the help of pgp concepts. amd i wrong? its obvious that this is not some kind of ultimate trust. then again i fail to understand why all(?) the distros are putting the users into the place of running built binaries instead of the whole ecosystem would have eventually gone for everbody self-compiling and reproducible builds and similar?
<https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish What do you mean with "authority"? Do you understand how PGP was intended to work? There is no authority by definition.
see above. I lack the clear presentation of the involved actual people in these build projects and software the whole system outputs. you dont even find the public keys of all these people and projects on the few leftover public pgp keyservers these days any more or at all, wonder why people dont publish their keys elsewhere than just in the mere repo files. isnt this also what that zypper output advises the user?
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611> This is long standing problem in one click install and software.o.o. OBS project may link to another projects, in this case packages from other projects are used when building software. If project A links to and is using packages from project B it means that packages from project A now (may) depend on packages from project B. The most obvious example is update repository which is not self-contained - updated packages still depend on packages from main repository.
coming from a windows world I would have thought that in the linux ecoverse the general rule of thumb would not be just to click, install, acknowledge and use everything, but that there would be some brains behind all this. it seems as if in theory there were lot of bright and securing ideas (e.g. pgp public keys) but everybody and their brother was just clicking and okaying everything that came along and never actually checking stuff? am I really wrong? your answer here didnt even show and understand for what I meant with verifying. how do you verify a thing in the universe? somewhere back in elementary school(?) i learned that maybe a second way to make a calculation, a different technical means which eventually or hopefully would come up with the same result. checking. verifying. i wonder if i am this pedantic or if i am just incompatible with this world? thank you.