Michael Schroeder wrote:

On Tue, Apr 13, 2010 at 12:16:29AM +0200, Joachim Schrod wrote:

...

Meta data in OBS repo-md repositories (i.e., repomd. is usually signed with gpg. It seems that zypper does not check expiration of used gpg keys. (zypper 1.0.13 on openSUSE 11.1, in case that matters.)

As an example: http://download.opensuse.org/repositories/Apache:/MirrorBrain/Apache_openSUS... has a key that expired at April 1, 2010; i.e., 12 days ago. (The key has ID 0xBD6D129A and fingerprint EDDD C98D 96A0 F889 9AB0 7C78 9584 A164 BD6D 129A.)

I would have expected a warning or an error when this repository is refreshed, but nothing as such happens.

Same as with rpm ;-)

Good point; but actually I find check of repository meta-data signatures even more important than rpm signatures. RPMs may be validly older, since the software may have not changed for a long time -- I do not expect that to happen for repository meta-data. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org