-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 14:39, Marcus Meissner wrote:
I still do not know which repo you are talking about.
When installing openSUSE, a set of core keys for our validated repositories are added to the trusted keyring of the system.
I know.
This covers the regular update channel.
So installing the system, having the OSS and NON-OSS or UPDATE repo added should never require such a query.
I know - but. The fate proponents propose to have *all* repo keys published in an https server in some maner that we can verify the keys used by zypper/yast/rpm. The alternative proposal is to have *all* rpo keys included in the DVD. To this I counter that keys expire, and you have to import them again, over a non tustfull channel. To counter this, it is proposed that those keys can be updated via rpm update from the updates repo. And I say that if it is the update repo key which is expired, I can not update it in a trusted manner. No matter that I trust SUSE, I can not know if it is SUSE which offers the upgrade or a rogue mirror, because the key is at the moment invalid. Do you understand the problem? Currently what zypper does is suddenly request importing a key - there is no mechanism to verify that the key is correct comparing via another channel. This is what is missing, an alternative channel to verify the gpg keys, that's all. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+vv3gACgkQIvFNjefEBxrrrACfQgtaEKbHXtmdfeHQ2qdD9i6f 1yEAoMD7OWoog2akFlLOcMbgjICLA6hU =dXtR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org