[opensuse] Missing packages in opensuse-12.1
Hello everybody, I have installed opensuse-12.1 and found that some packages are no longer available. Notably, this are lha, keepassx, wxMaxima, grip, pspdftool Those packages were available on the old opensuse installation (11.1 or something). I think they were in the Contrib repository, but this don't seem to be available anymore. Any ideas what happened to those packages and where to get them? Thanks, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello everybody,
I have installed opensuse-12.1 and found that some packages are no longer available. Notably, this are
lha, keepassx, wxMaxima, grip, pspdftool
Those packages were available on the old opensuse installation (11.1 or something). I think they were in the Contrib repository, but this don't seem to be available anymore.
Any ideas what happened to those packages and where to get them?
Thanks, I cannot comment on all but wxmaxima and maxima are in the education repository (and also if you prefer that in the science repository). You can add the education repo directly in yast in the comunity repositories
Am 10.05.2012 12:02, schrieb Josef Wolf: list. For the others try the search at http://software.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 12:18:42PM +0200, Martin Helm wrote:
Am 10.05.2012 12:02, schrieb Josef Wolf:
[ missing packages]
I cannot comment on all but wxmaxima and maxima are in the education repository (and also if you prefer that in the science repository). You can add the education repo directly in yast in the comunity repositories list.
For the others try the search at http://software.opensuse.org
Thanks, So i figured, I need OpenSUSE:Factory:Contrib, science and Education. Where do I get the fingerprints of those repositories, and what would be the proper way to install them (non-interactively, on the command line)? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 10.05.2012 14:14, schrieb Josef Wolf:
Thanks, So i figured, I need OpenSUSE:Factory:Contrib, science and Education. Where do I get the fingerprints of those repositories, and what would be the proper way to install them (non-interactively, on the command line)? For example science (my maxima is from science, hence the example)
su - zypper ar http://download.opensuse.org/repositories/science/openSUSE_12.1/ science zypper ref zypper in maxima wxMaxima Similar for the others. I never found a way to get the fingerprints, I accept them if I trust the repo, maybe someone else knows better. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Martin Helm <martin@mhelm.de> [05-10-12 08:28]:
Am 10.05.2012 14:14, schrieb Josef Wolf:
Thanks, So i figured, I need OpenSUSE:Factory:Contrib, science and Education. Where do I get the fingerprints of those repositories, and what would be the proper way to install them (non-interactively, on the command line)? For example science (my maxima is from science, hence the example)
su - zypper ar http://download.opensuse.org/repositories/science/openSUSE_12.1/ science zypper ref zypper in maxima wxMaxima
Similar for the others.
I never found a way to get the fingerprints, I accept them if I trust the repo, maybe someone else knows better.
hand edit /etc/zypp/repos.d/<repo-name>.repo [packman-essentials] name=Packman Essentials repository (openSUSE_Tumbleweed) enabled=1 autorefresh=1 baseurl=http://packman.inode.at/suse/openSUSE_Tumbleweed/Essentials type=rpm-md gpgcheck=1 gpgkey=http://packman.inode.at/suse/openSUSE_Tumbleweed/Essentials/repodata/repomd.... keeppackages=0 enable "gpgcheck", set to "1" define gpgkey, as above iiuc ymmv -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 14:14, Josef Wolf wrote:
Where do I get the fingerprints of those repositories,
Please vote for this feature: <https://features.opensuse.org/312047> - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+rwmUACgkQIvFNjefEBxqJqwCgzc4EkULdzT8k22Y3DZNyAxZw pQsAoMC+iBuDzuvoYX8Ha566vzamfno8 =P0fm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 03:28:05PM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-10 14:14, Josef Wolf wrote:
Where do I get the fingerprints of those repositories,
Please vote for this feature: <https://features.opensuse.org/312047>
I'm not entirely sure whether this would be the right way to do it. I think a better way would be to include one (or maybe several) rpm's with the keys in the core distribution. With this, installing and accepting the keys would be a simple matter of zypper install packman-keys factory-contrib-keys foobar-keys or something. This could even be extended to include all the information for the repository (URL, whatever). Thus, a simple command like zypper install packman-repos factory-contrib-repos education-repos would make those repositories available and accept the keys with one simple command. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 15:47, Josef Wolf wrote:
On Thu, May 10, 2012 at 03:28:05PM +0200, Carlos E. R. wrote:
On 2012-05-10 14:14, Josef Wolf wrote:
Where do I get the fingerprints of those repositories,
Please vote for this feature: <https://features.opensuse.org/312047>
I'm not entirely sure whether this would be the right way to do it. I think a better way would be to include one (or maybe several) rpm's with the keys in the core distribution. With this, installing and accepting the keys would be a simple matter of
Keys have a period of validity. What do you do when a key changes? They will not be on any dvd. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+rydUACgkQIvFNjefEBxrbywCeIqZeoSzMbIAKHRKuQ+2rn+O3 A98An23hB8p8GM4HKkQ5vZSXcT3XlvlH =6ZDn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 03:59:49PM +0200, Carlos E. R. wrote:
On 2012-05-10 15:47, Josef Wolf wrote:
On 2012-05-10 14:14, Josef Wolf wrote:
Where do I get the fingerprints of those repositories, Please vote for this feature: <https://features.opensuse.org/312047> I'm not entirely sure whether this would be the right way to do it. I
On Thu, May 10, 2012 at 03:28:05PM +0200, Carlos E. R. wrote: think a better way would be to include one (or maybe several) rpm's with the keys in the core distribution. With this, installing and accepting the keys would be a simple matter of
Keys have a period of validity. What do you do when a key changes? They will not be on any dvd.
How do you make security updates available to the package manager when they are not on the DVD? It's the same: zypper refresh simple, eh? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 16:26, Josef Wolf wrote:
How do you make security updates available to the package manager when they are not on the DVD? It's the same:
zypper refresh
simple, eh?
And how do you trust the security of the updates key when it changes? It is not so simple. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sC7wACgkQIvFNjefEBxoTLgCdFG2OKqq1GOOz38YiuJk/wI9s /hIAoKJf+2ysnULuxpofodXHl+3HRGCy =DvnW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 08:41:00PM +0200, Carlos E. R. wrote:
On 2012-05-10 16:26, Josef Wolf wrote:
How do you make security updates available to the package manager when they are not on the DVD? It's the same:
zypper refresh
simple, eh?
And how do you trust the security of the updates key when it changes? It is not so simple.
How do you trust the security of the kernel update? It's the same! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 21:31, Josef Wolf wrote:
How do you trust the security of the kernel update? It's the same!
It is not the same issue. The kernel updates, when they start coming, have the same key as in the DVD. When the key changes, there is no way to trust the new key. The current key is not valid, and you have to import the new key blindly. To install the package with the new updated key, you have to trust the key first. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sK+0ACgkQIvFNjefEBxopwACgvjPoadKsASV+1oynzxbbf11m rG8AoLTE5ypE0l0VP5Qo+QGw6TNasssi =KQAF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 10:58:21PM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-10 21:31, Josef Wolf wrote:
How do you trust the security of the kernel update? It's the same!
It is not the same issue. The kernel updates, when they start coming, have the same key as in the DVD. When the key changes, there is no way to trust the new key. The current key is not valid, and you have to import the new key blindly. To install the package with the new updated key, you have to trust the key first.
You did not understand. The package packman-keys would _not_ be in the packman repository. It would be in a core repository supplied by suse (I wrote that earlier in this thread). Whom do you trust if you load the keys from an arbitrary website, as suggested by the ticket you mentioned earlier in the thread? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 12:15, Josef Wolf wrote:
On Thu, May 10, 2012 at 10:58:21PM +0200, Carlos E. R. wrote:
You did not understand. The package packman-keys would _not_ be in the packman repository. It would be in a core repository supplied by suse (I wrote that earlier in this thread).
I said nothing yet about packman. This is about openSUSE.
Whom do you trust if you load the keys from an arbitrary website, as suggested by the ticket you mentioned earlier in the thread?
Not from arbitrary website. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+s8WMACgkQIvFNjefEBxrcRQCgulaAxJNd3wPSczxQnK0z2q3v cBQAmwaWNUpkyt+OxcXAmG0ZucTDrXVB =RoB3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/10/2012 3:31 PM, Josef Wolf wrote:
On Thu, May 10, 2012 at 08:41:00PM +0200, Carlos E. R. wrote:
On 2012-05-10 16:26, Josef Wolf wrote:
How do you make security updates available to the package manager when they are not on the DVD? It's the same:
zypper refresh
simple, eh?
And how do you trust the security of the updates key when it changes? It is not so simple.
How do you trust the security of the kernel update? It's the same!
You DON'T trust the kernel update. You trust SUSE. And you trust the key to ensure that you are in fact dealing with SUSE. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 23:34, Brian K. White wrote:
You DON'T trust the kernel update. You trust SUSE. And you trust the key to ensure that you are in fact dealing with SUSE.
Yes, I do trust SUSE. But how can I trust that the repo key I'm importing is really supplied by SUSE and not by a rogue repo owner? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sNRMACgkQIvFNjefEBxoo8gCeK8I/oXeGlhA/ZO27PtuYa3s6 joEAoKZ8JaHNo8WR0ZSic42/CrK6l5NV =cYh1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
On 2012-05-10 23:34, Brian K. White wrote:
You DON'T trust the kernel update. You trust SUSE. And you trust the key to ensure that you are in fact dealing with SUSE.
Yes, I do trust SUSE. But how can I trust that the repo key I'm importing is really supplied by SUSE and not by a rogue repo owner?
So ... first ... which repo do you import? Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 23:54, Marcus Meissner wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
So ... first ... which repo do you import?
If I'm paranoid, none. Being practical, I knock on wood, blindly import the key, and update. The problem is that there is no method to validate repo keys, which is what the proposed feature tries to address. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sPkQACgkQIvFNjefEBxof3QCgrTE6/ZLNbVuRodBuIPD8HA1N 4WsAn0C6LqjEzXDc9REfjNDCZLBnp5l3 =ECuE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, May 11, 2012 at 12:16:37AM +0200, Carlos E. R. wrote:
On 2012-05-10 23:54, Marcus Meissner wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
So ... first ... which repo do you import? If I'm paranoid, none.
So you don't install security updates? Strange kind of paranoidity... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 12:17, Josef Wolf wrote:
On Fri, May 11, 2012 at 12:16:37AM +0200, Carlos E. R. wrote:
On 2012-05-10 23:54, Marcus Meissner wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
So ... first ... which repo do you import? If I'm paranoid, none.
So you don't install security updates? Strange kind of paranoidity...
I can not trust they come from SUSE, no. It is obvious. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+s8foACgkQIvFNjefEBxpa3QCgsB76mXUH3bImIPggAB7aC3EI jJMAnjr181m9vF2ahfbPdgLMRT1p6Kxp =Y9F8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, May 11, 2012 at 01:03:22PM +0200, Carlos E. R. wrote:
On 2012-05-11 12:17, Josef Wolf wrote:
On Fri, May 11, 2012 at 12:16:37AM +0200, Carlos E. R. wrote:
On 2012-05-10 23:54, Marcus Meissner wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
So ... first ... which repo do you import? If I'm paranoid, none.
So you don't install security updates? Strange kind of paranoidity...
I can not trust they come from SUSE, no. It is obvious.
I still do not know which repo you are talking about. When installing openSUSE, a set of core keys for our validated repositories are added to the trusted keyring of the system. This covers the regular update channel. So installing the system, having the OSS and NON-OSS or UPDATE repo added should never require such a query. Everything else surely will. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, May 11, 2012 at 02:39:11PM +0200, Marcus Meissner wrote:
On Fri, May 11, 2012 at 01:03:22PM +0200, Carlos E. R. wrote:
On 2012-05-11 12:17, Josef Wolf wrote:
On Fri, May 11, 2012 at 12:16:37AM +0200, Carlos E. R. wrote:
On 2012-05-10 23:54, Marcus Meissner wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote: So ... first ... which repo do you import? If I'm paranoid, none. So you don't install security updates? Strange kind of paranoidity... I can not trust they come from SUSE, no. It is obvious.
That's the point: those keys should be supplied by suse in one of their core repositories. I think, I've already written this several times.
I still do not know which repo you are talking about.
When installing openSUSE, a set of core keys for our validated repositories are added to the trusted keyring of the system.
This covers the regular update channel.
So installing the system, having the OSS and NON-OSS or UPDATE repo added should never require such a query.
But for Education, Contrib, Factory, science, there _is_ such a query. And for third-party repositories (e.g. Packman), I stoll don't have an answer how to install the keys. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 14:39, Marcus Meissner wrote:
I still do not know which repo you are talking about.
When installing openSUSE, a set of core keys for our validated repositories are added to the trusted keyring of the system.
I know.
This covers the regular update channel.
So installing the system, having the OSS and NON-OSS or UPDATE repo added should never require such a query.
I know - but. The fate proponents propose to have *all* repo keys published in an https server in some maner that we can verify the keys used by zypper/yast/rpm. The alternative proposal is to have *all* rpo keys included in the DVD. To this I counter that keys expire, and you have to import them again, over a non tustfull channel. To counter this, it is proposed that those keys can be updated via rpm update from the updates repo. And I say that if it is the update repo key which is expired, I can not update it in a trusted manner. No matter that I trust SUSE, I can not know if it is SUSE which offers the upgrade or a rogue mirror, because the key is at the moment invalid. Do you understand the problem? Currently what zypper does is suddenly request importing a key - there is no mechanism to verify that the key is correct comparing via another channel. This is what is missing, an alternative channel to verify the gpg keys, that's all. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+vv3gACgkQIvFNjefEBxrrrACfQgtaEKbHXtmdfeHQ2qdD9i6f 1yEAoMD7OWoog2akFlLOcMbgjICLA6hU =dXtR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, May 13, 2012 at 04:04:40PM +0200, Carlos E. R. wrote:
And I say that if it is the update repo key which is expired, I can not update it in a trusted manner.
Ah! You are talking about expiration of the key for the _update_ repo. Thanks for clarifying! Well, that's the same problem as with every other (security) updates. Once those keys are expired, there's no way to get _any_ updates in a trusted manner. I don't see any new security issue introduced by having the keys for third-party repos in the core repository. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/10/2012 5:37 PM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-10 23:34, Brian K. White wrote:
You DON'T trust the kernel update. You trust SUSE. And you trust the key to ensure that you are in fact dealing with SUSE.
Yes, I do trust SUSE. But how can I trust that the repo key I'm importing is really supplied by SUSE and not by a rogue repo owner?
I know that. I was responding to Josef not you. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 00:19, Brian K. White wrote:
On 5/10/2012 5:37 PM, Carlos E. R. wrote:
Yes, I do trust SUSE. But how can I trust that the repo key I'm importing is really supplied by SUSE and not by a rogue repo owner?
I know that. I was responding to Josef not you.
Ah, Ok, I was clarifying. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sSzYACgkQIvFNjefEBxp4mACfb1GW0YkQzgzckHjLK9RYi6AW KxkAoKCKoekvT883ij+dOtYVzlfvXgbv =X+VF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-10 23:34, Brian K. White wrote:
You DON'T trust the kernel update. You trust SUSE. And you trust the key to ensure that you are in fact dealing with SUSE.
Yes, I do trust SUSE. But how can I trust that the repo key I'm importing is really supplied by SUSE and not by a rogue repo owner?
It is supplied by suse because it is in the core repository which is supplied by suse. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 12:16, Josef Wolf wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
It is supplied by suse because it is in the core repository which is supplied by suse.
Which is usually supplied to me by mirrors. Then chain of security can be intercepted even if downloaded from suse because the server is not https. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+s8dMACgkQIvFNjefEBxpWpQCfTk2goeJeWe4gTmqC1lXvaQhi 1HoAn0HzZHBUKMYf+DrUF+Ukxws86fQ3 =Zr/0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, May 11, 2012 at 01:02:43PM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-11 12:16, Josef Wolf wrote:
On Thu, May 10, 2012 at 11:37:23PM +0200, Carlos E. R. wrote:
It is supplied by suse because it is in the core repository which is supplied by suse.
Which is usually supplied to me by mirrors. Then chain of security can be intercepted even if downloaded from suse because the server is not https.
The same holds true for _every_ security patch you install. You surely install security patches, don't you? BTW: shouldn't the packages be signed to keep mirrors from manipulating them? I hope those keys are not just for fun? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-13 10:59, Josef Wolf wrote:
On Fri, May 11, 2012 at 01:02:43PM +0200, Carlos E. R. wrote:
Which is usually supplied to me by mirrors. Then chain of security can be intercepted even if downloaded from suse because the server is not https.
The same holds true for _every_ security patch you install. You surely install security patches, don't you?
Yes, but those patches are signed, and security is maintained. The problem arises when the update repo changes key, there is no secure channel to update the key.
BTW: shouldn't the packages be signed to keep mirrors from manipulating them? I hope those keys are not just for fun?
They are. The hole is in the transmission of the keys themselves. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+vwAgACgkQIvFNjefEBxoBqwCgsv+JRkLV7dLkr0meeePtFuvt 1+IAnAgNO++M7d9Jvq2ysSiqemWiekfc =7jj+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, May 13, 2012 at 04:07:04PM +0200, Carlos E. R. wrote:
Which is usually supplied to me by mirrors. Then chain of security can be intercepted even if downloaded from suse because the server is not https.
The same holds true for _every_ security patch you install. You surely install security patches, don't you?
Yes, but those patches are signed, and security is maintained.
The problem arises when the update repo changes key, there is no secure channel to update the key.
But this is a generic problem with _all_ updates and in no way related to the question whether to put third-party keys into rpm's. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 10, 2012 at 05:34:15PM -0400, Brian K. White wrote:
On 5/10/2012 3:31 PM, Josef Wolf wrote:
On Thu, May 10, 2012 at 08:41:00PM +0200, Carlos E. R. wrote:
On 2012-05-10 16:26, Josef Wolf wrote:
How do you make security updates available to the package manager when they are not on the DVD? It's the same:
zypper refresh
simple, eh?
And how do you trust the security of the updates key when it changes? It is not so simple.
How do you trust the security of the kernel update? It's the same!
You DON'T trust the kernel update. You trust SUSE.
Exactly! That's why I wrote earlier in the thread, that the keys should be in the _core_ repository. If you install opensuse, you _have_ to trust suse anyway. How comes you install opensuse if you don't trust suse? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-11 12:11, Josef Wolf wrote:
How comes you install opensuse if you don't trust suse?
I trust SUSE. But we do not have a reliable path to import the keys. Zypper/Yast simply ask us to allow importing such a key, and there is no way to learn if the key offered comes really from the source it says it comes. A rogue mirror can change the key anytime, and users will simply accept it! That is the current situation. Just because developers/packagers refuse to publish their keys in a reliable manner. This is unacceptable. One day will have a disaster like the one that hit the kernel chaps. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+s87IACgkQIvFNjefEBxrnBwCfatn9GKhfeMXTHpWLfb2P9l9S K0EAn3AnFQIcZ6TZERyfG+0nU8OMM8wA =RGMN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 10.05.2012 12:02, schrieb Josef Wolf:
Hello everybody,
I have installed opensuse-12.1 and found that some packages are no longer available. Notably, this are
lha, keepassx, wxMaxima, grip, pspdftool
Those packages were available on the old opensuse installation (11.1 or something). I think they were in the Contrib repository, but this don't seem to be available anymore.
Any ideas what happened to those packages and where to get them?
Thanks,
lha and keepassx I only find at http://download.opensuse.org/repositories/openSUSE:/Factory:/Contrib/openSUS... so I use this with priority 200 to take only the things I can not find at other places. A little bit "dirty", but it works... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/05/12 11:32, Peter Sikorski GTL wrote:
Am 10.05.2012 12:02, schrieb Josef Wolf:
Hello everybody,
I have installed opensuse-12.1 and found that some packages are no longer available. Notably, this are
lha, keepassx, wxMaxima, grip, pspdftool
Those packages were available on the old opensuse installation (11.1 or something). I think they were in the Contrib repository, but this don't seem to be available anymore.
Any ideas what happened to those packages and where to get them?
Thanks,
lha and keepassx I only find at http://download.opensuse.org/repositories/openSUSE:/Factory:/Contrib/openSUS...
so I use this with priority 200 to take only the things I can not find at other places. A little bit "dirty", but it works...
Keepassx can be found at http://download.opensuse.org/repositories/security:/passwordmanagement/openS... No need to use Factory :) Not sure about lha. Bob -- Bob Williams System: Linux 3.1.10-1.9-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.8.3 (4.8.3) "release 501" Uptime: 06:00am up 10 days 16:58, 4 users, load average: 0.02, 0.13, 0.15 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Where do I find - grip ? -- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Duaine Hechler <dahechler@att.net> [05-10-12 15:19]:
Where do I find - grip ?
-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years
zypper se -s grip http://software.opensuse.org/search http://google.com where did you look? -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 10 May 2012 12:02:12 +0200, Josef Wolf <jw@raven.inka.de> wrote:
lha, keepassx, wxMaxima, grip, pspdftool
At least grip was dropped like xmms because they needed the old gnome 1 libs and we got rid of packages that did so because with the move to gnome2 we didn't want two sets of space consuming libraries. hth Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Patrick Shanahan <paka@opensuse.org> [01-01-70 12:34]:
* Duaine Hechler <dahechler@att.net> [05-10-12 15:19]:
Where do I find - grip ?
-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years
zypper se -s grip
http://software.opensuse.org/search
where did you look?
and a more complete and much better answer from Philipp: * Philipp Thomas <Philipp.Thomas2@gmx.net> [01-01-70 12:34]:
On Thu, 10 May 2012 12:02:12 +0200, Josef Wolf <jw@raven.inka.de> wrote:
lha, keepassx, wxMaxima, grip, pspdftool
At least grip was dropped like xmms because they needed the old gnome 1 libs and we got rid of packages that did so because with the move to gnome2 we didn't want two sets of space consuming libraries.
-- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2012 03:42 PM, Patrick Shanahan wrote:
* Patrick Shanahan<paka@opensuse.org> [01-01-70 12:34]:
* Duaine Hechler<dahechler@att.net> [05-10-12 15:19]:
Where do I find - grip ?
-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years
zypper se -s grip
http://software.opensuse.org/search
where did you look? and a more complete and much better answer from Philipp:
* Philipp Thomas<Philipp.Thomas2@gmx.net> [01-01-70 12:34]:
On Thu, 10 May 2012 12:02:12 +0200, Josef Wolf<jw@raven.inka.de> wrote:
lha, keepassx, wxMaxima, grip, pspdftool At least grip was dropped like xmms because they needed the old gnome 1 libs and we got rid of packages that did so because with the move to gnome2 we didn't want two sets of space consuming libraries.
As an alternate, I found - asunder - it's very close. Is there even a better one ? TIA, Duaine -- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/05/12 23:00, Duaine Hechler wrote:
On 05/10/2012 03:42 PM, Patrick Shanahan wrote:
* Patrick Shanahan<paka@opensuse.org> [01-01-70 12:34]:
* Duaine Hechler<dahechler@att.net> [05-10-12 15:19]:
Where do I find - grip ?
-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing& Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home& Business user of Linux - 11 years
zypper se -s grip
http://software.opensuse.org/search
where did you look? and a more complete and much better answer from Philipp:
* Philipp Thomas<Philipp.Thomas2@gmx.net> [01-01-70 12:34]:
On Thu, 10 May 2012 12:02:12 +0200, Josef Wolf<jw@raven.inka.de> wrote:
lha, keepassx, wxMaxima, grip, pspdftool At least grip was dropped like xmms because they needed the old gnome 1 libs and we got rid of packages that did so because with the move to gnome2 we didn't want two sets of space consuming libraries.
As an alternate, I found - asunder - it's very close. Is there even a better one ?
TIA, Duaine
If you don't mind using Windows software, I would recommend Exact Audio Copy <http://www.exactaudiocopy.de/>, which runs well under wine. There is a good explanation on the above website about how it works. I have used it for many years to rip my CDs to .flac format (better quality than .mp3, but bigger files), and am still a satisfied user. It is free. The only thing it fails on is editing track titles, so I've learnt to use EasyTag for that. Bob -- Bob Williams System: Linux 3.1.10-1.9-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.8.3 (4.8.3) "release 501" Uptime: 18:00pm up 11 days 4:58, 4 users, load average: 4.14, 4.68, 4.79 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Bob Williams -
Brian K. White -
Carlos E. R. -
Carlos E. R. -
Duaine Hechler -
Josef Wolf -
Marcus Meissner -
Martin Helm -
Patrick Shanahan -
Peter Sikorski GTL -
Philipp Thomas