-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-13 10:59, Josef Wolf wrote:
On Fri, May 11, 2012 at 01:02:43PM +0200, Carlos E. R. wrote:
Which is usually supplied to me by mirrors. Then chain of security can be intercepted even if downloaded from suse because the server is not https.
The same holds true for _every_ security patch you install. You surely install security patches, don't you?
Yes, but those patches are signed, and security is maintained. The problem arises when the update repo changes key, there is no secure channel to update the key.
BTW: shouldn't the packages be signed to keep mirrors from manipulating them? I hope those keys are not just for fun?
They are. The hole is in the transmission of the keys themselves. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+vwAgACgkQIvFNjefEBxoBqwCgsv+JRkLV7dLkr0meeePtFuvt 1+IAnAgNO++M7d9Jvq2ysSiqemWiekfc =7jj+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org