On 14.06.2022 20:25, cagsm wrote: ...
All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits?
Define "verify".
<https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish
What do you mean with "authority"? Do you understand how PGP was intended to work? There is no authority by definition.
trust to this author and its produce?
How is it different to downloading any other software or distribution? How do you verify openSUSE distribution? What makes you trust download binaries? Regarding OBS projects - project signing key is generated internally. Private key is not accessible from outside. Public key can be downloaded via OBS API or using osc command. I was sure it was also offered via web GUI, but apparently only project owner can download keys. These are the same keys as are provided on download.o.o for the repository where binaries built inside the project are published. So project keys allow you to detect that keys have been changed after you added repository. They do not provide any proof of origin. Like with any other PGP key, someone may sign public key in which case if you trust the person who signed it AND TRUST THAT HE ALSO VERIFIED THIS KEY you may trust it a bit more.
I do not use "oneclick", but manually dl and install.
about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at
or
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611>
Why this huge difference to that single repo that is given in the expert details on software opensuse org
This is long standing problem in one click install and software.o.o. OBS project may link to another projects, in this case packages from other projects are used when building software. If project A links to and is using packages from project B it means that packages from project A now (may) depend on packages from project B. The most obvious example is update repository which is not self-contained - updated packages still depend on packages from main repository. So when building one click install definition software.o.o generates repositories for all linked projects which ensures that you can actually install binaries with all needed dependencies. The problems now are - software.o.o also adds main repositories for the distribution which is obviously redundant, as these repositories are expected to always be present - yast one click install module does not check that repositories are already present so they are added multiple times - and last but not least - with Leap 15.3 and above packages are actually built on internal SUSE OBS. Only resulting binaries are copied inside of openSUSE repository. But software.o.o STILL generates reference to those internal repositories that are not accessible from outside and result in errors when trying to install software