On Mon, Jun 13, 2022 at 8:41 PM Patrick Shanahan wrote:

...

more questions by a noob with linux and desktop. The elements chat (formerly riot chat) for the matrix ecosystem and network, seems to be available via flatpak flathub according to imnsho: *always* utilize packages built specifically for your installed system. *only* use "flatpack/or ..." when there is absolutely no other available solution. use https://software.opensuse.org/search

I really must have missed these results, I did look for them :( Thanks for pointing it out: https://software.opensuse.org/package/matrix-element-web How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? thanks also for all the threads answers. I wonder if flatpak would be a different aproach to this trust issue and if maybe flatpak software has some kind of capsulation or containersiation (or what it could be called and technically designed these days?), barriers and "virtualisation" of processes and access rights and such stuff agains malicious software, so that the local system would be less compromised? or is there no such features inside flatpak? Or is the opensuse apparmor the means and place to look for more restrictions safetey and lockdown of such comminity packages or something? ty a lot.

On Tue, Jun 14, 2022 at 3:12 PM Patrick Shanahan wrote:

...

How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? how safe are you walking across the street?

well I am trying to find some ways and starting points to bootstrap into this universe. The zypper says I need to check the trust before accepting it e.g. via some other ways to acquire the authors pgp key for example via the homepage. seriously how to establish and start trust from scratch? this is software running on the machine after all. I may trust the opensuse distro, I tried to verfiy downloads isos opensuse keys and stuff. So how to extend trust to this authors packages? first: sudo zypper addrepo https://download.opensuse.org/repositories/home:ecsos:messenger:matrix/15.4/... Adding repository 'An open network for secure, decentralized communication. (15.4)' ....................................................................................................................................................................................[done] Repository 'An open network for secure, decentralized communication. (15.4)' successfully added URI : https://download.opensuse.org/repositories/home:/ecsos:/messenger:/matrix/15... Enabled : Yes GPG Check : Yes Autorefresh : No Priority : 99 (default priority) Repository priorities are without effect. All enabled repositories share the same priority. then: sudo zypper ref New repository or package signing key received: Repository: An open network for secure, decentralized communication. (15.4) Key Fingerprint: B302 1BFB 9FA8 05CD E0DA EA33 CFFB A00A 8B66 2DFB Key Name: home:ecsos OBS Project home:ecsos@build.opensuse.org Key Algorithm: RSA 2048 Key Created: Sun 05 Sep 2021 10:29:07 AM CEST Key Expires: Tue 14 Nov 2023 09:29:07 AM CET Rpm Name: gpg-pubkey-8b662dfb-61347fd3 Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: A GPG pubkey is clearly identified by it's fingerprint. Do not rely the keys name. If you are not sure whether the presented key is authentic, ask the repository provider or check his web site. Many provider maintain a web page showing the fingerprints of the GPG keys they are using. Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits? https://build.opensuse.org/users/ecsos I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish trust to this author and its produce?

I do not use "oneclick", but manually dl and install.

about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at https://software.opensuse.org/ymp/home:ecsos:messenger:matrix/openSUSE_Tumbleweed/matrix-element-web.ymp?base=openSUSE%3AFactory&query=matrix-element-web or https://software.opensuse.org/download/package?package=matrix-element-web&project=home%3Aecsos%3Amessenger%3Amatrix a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? https://paste.opensuse.org/46477611 Why this huge difference to that single repo that is given in the expert details on software opensuse org Thank you a lot.

On Tue, 14 Jun 2022 19:25:41 +0200 cagsm wrote:

a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? https://paste.opensuse.org/46477611

Why this huge difference to that single repo that is given in the expert details on software opensuse org

Exactly, WHY add a dozen repos? I just download, park in a folder of my own choice, insert that folder as a repo in Yast and done. But the underlying question isn't just a check to see if the file had been changed enroute, it's a check on whether the original author is trustable at all and there's no way of knowing that unless you know the person! I'm willing to risk using binaries from Suse, that's *already a compromise* compared to compiling, but that's where it ends. Flatpacking 'could' be the future answer for many reasons but if ever I install a binary flatpack it will have to come from Suse as well. BTW since when does a flatpack have to be binary? Right now hundreds wanna become the github of the future, millions of clickmoney waiting, but github is no more trustworthy than a used car salesman called Honest Igor :-) -- Oh Lord of the Keyrings on high, have I got bad news for you: the word trust is nowhere to be found in my security dictionary.

On 14.06.2022 20:25, cagsm wrote: ...

All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits?

Define "verify".

https://build.opensuse.org/users/ecsos I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish

What do you mean with "authority"? Do you understand how PGP was intended to work? There is no authority by definition.

trust to this author and its produce?

How is it different to downloading any other software or distribution? How do you verify openSUSE distribution? What makes you trust download binaries? Regarding OBS projects - project signing key is generated internally. Private key is not accessible from outside. Public key can be downloaded via OBS API or using osc command. I was sure it was also offered via web GUI, but apparently only project owner can download keys. These are the same keys as are provided on download.o.o for the repository where binaries built inside the project are published. So project keys allow you to detect that keys have been changed after you added repository. They do not provide any proof of origin. Like with any other PGP key, someone may sign public key in which case if you trust the person who signed it AND TRUST THAT HE ALSO VERIFIED THIS KEY you may trust it a bit more.

...

I do not use "oneclick", but manually dl and install.

about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at

https://software.opensuse.org/ymp/home:ecsos:messenger:matrix/openSUSE_Tumbleweed/matrix-element-web.ymp?base=openSUSE%3AFactory&query=matrix-element-web

or

https://software.opensuse.org/download/package?package=matrix-element-web&project=home%3Aecsos%3Amessenger%3Amatrix

a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? https://paste.opensuse.org/46477611

Why this huge difference to that single repo that is given in the expert details on software opensuse org

This is long standing problem in one click install and software.o.o. OBS project may link to another projects, in this case packages from other projects are used when building software. If project A links to and is using packages from project B it means that packages from project A now (may) depend on packages from project B. The most obvious example is update repository which is not self-contained - updated packages still depend on packages from main repository. So when building one click install definition software.o.o generates repositories for all linked projects which ensures that you can actually install binaries with all needed dependencies. The problems now are - software.o.o also adds main repositories for the distribution which is obviously redundant, as these repositories are expected to always be present - yast one click install module does not check that repositories are already present so they are added multiple times - and last but not least - with Leap 15.3 and above packages are actually built on internal SUSE OBS. Only resulting binaries are copied inside of openSUSE repository. But software.o.o STILL generates reference to those internal repositories that are not accessible from outside and result in errors when trying to install software

* cagsm [06-15-22 10:58]: ...

how do you verify a thing in the universe? somewhere back in elementary school(?) i learned that maybe a second way to make a calculation, a different technical means which eventually or hopefully would come up with the same result. checking. verifying. i wonder if i am this pedantic or if i am just incompatible with this world?

the best we can hope for is shared experience. thus pgp past that, you are the administrator of your box/environment and make decisions based on your knowledge and experience (or not). there are no absolutes except zero. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc