Folks, per http://www.opensuse.org/Additional_YaST_Package_Repositories, there's a bit of a warning: YaST fully trusts installation sources and does not perform any kind of authenticity verification on the contained packages. So be careful when adding installation sources on the Internet. I guess that means there's no GPG key for other installation sources. Is there any other way to verify installation sources, such as Packman or Guru, or even the standard mirrors listed at http://www.novell.com/products/suselinux/downloads/ftp/int_mirrors.html, or am I just being paranoid? Thanks, Mike
Op zondag 18 december 2005 10:50, schreef MJang:
Folks,
per http://www.opensuse.org/Additional_YaST_Package_Repositories, there's a bit of a warning:
YaST fully trusts installation sources and does not perform any kind of authenticity verification on the contained packages. So be careful when adding installation sources on the Internet.
I guess that means there's no GPG key for other installation sources.
Is there any other way to verify installation sources, such as Packman or Guru, or even the standard mirrors listed at http://www.novell.com/products/suselinux/downloads/ftp/int_mirrors.html, or am I just being paranoid?
You can use apt. It check each package on each gpg key. Further more it is easy to obtain the gpg keys. More about it on http://linux01.gwdg.de/apt4rpm However, suse is moving into yum and smartpm... -- Richard Bos Without a home the journey is endless
Richard Bos wrote:
You can use apt.
if I understand well, this is not the problem. with a new dowload site one can have a pgp key, but who is the site owner? if he's a cracker... however I don't think a cracker could make his bad work a long time. but better be carefull jdd -- pour m'écrire, aller sur: http://www.dodin.net
MJang:
Folks,
per http://www.opensuse.org/Additional_YaST_Package_Repositories, there's a bit of a warning:
YaST fully trusts installation sources and does not perform any kind of authenticity verification on the contained packages. So be careful when adding installation sources on the Internet.
I guess that means there's no GPG key for other installation sources.
Is there any other way to verify installation sources, such as Packman or Guru, or even the standard mirrors listed at http://www.novell.com/products/suselinux/downloads/ftp/int_mirrors.html, or am I just being paranoid?
Thanks, Mike
Guru's RPM Signing Key rpm --import http://linux01.gwdg.de/~pbleser/guru-rpm.asc
Op zondag 18 december 2005 19:56, schreef Edward Krack:
Guru's RPM Signing Key rpm --import http://linux01.gwdg.de/~pbleser/guru-rpm.asc
All known keys: ftp://ftp.gwdg.de/pub/linux/misc/apt4rpm/rpmkeys -- Richard
participants (4)
-
Edward Krack -
jdd -
MJang -
Richard Bos