On Tue, Jun 14, 2022 at 3:12 PM Patrick Shanahan
How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? how safe are you walking across the street?
well I am trying to find some ways and starting points to bootstrap into this universe. The zypper says I need to check the trust before accepting it e.g. via some other ways to acquire the authors pgp key for example via the homepage. seriously how to establish and start trust from scratch? this is software running on the machine after all. I may trust the opensuse distro, I tried to verfiy downloads isos opensuse keys and stuff. So how to extend trust to this authors packages? first: sudo zypper addrepo https://download.opensuse.org/repositories/home:ecsos:messenger:matrix/15.4/... Adding repository 'An open network for secure, decentralized communication. (15.4)' ....................................................................................................................................................................................[done] Repository 'An open network for secure, decentralized communication. (15.4)' successfully added URI : https://download.opensuse.org/repositories/home:/ecsos:/messenger:/matrix/15... Enabled : Yes GPG Check : Yes Autorefresh : No Priority : 99 (default priority) Repository priorities are without effect. All enabled repositories share the same priority. then: sudo zypper ref New repository or package signing key received: Repository: An open network for secure, decentralized communication. (15.4) Key Fingerprint: B302 1BFB 9FA8 05CD E0DA EA33 CFFB A00A 8B66 2DFB Key Name: home:ecsos OBS Project home:ecsos@build.opensuse.org Key Algorithm: RSA 2048 Key Created: Sun 05 Sep 2021 10:29:07 AM CEST Key Expires: Tue 14 Nov 2023 09:29:07 AM CET Rpm Name: gpg-pubkey-8b662dfb-61347fd3 Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: A GPG pubkey is clearly identified by it's fingerprint. Do not rely the keys name. If you are not sure whether the presented key is authentic, ask the repository provider or check his web site. Many provider maintain a web page showing the fingerprints of the GPG keys they are using. Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits? https://build.opensuse.org/users/ecsos I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish trust to this author and its produce?
I do not use "oneclick", but manually dl and install.
about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at https://software.opensuse.org/ymp/home:ecsos:messenger:matrix/openSUSE_Tumbleweed/matrix-element-web.ymp?base=openSUSE%3AFactory&query=matrix-element-web or https://software.opensuse.org/download/package?package=matrix-element-web&project=home%3Aecsos%3Amessenger%3Amatrix a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? https://paste.opensuse.org/46477611 Why this huge difference to that single repo that is given in the expert details on software opensuse org Thank you a lot.