Am Fri, 24 Apr 2020 19:26:01 +0200 schrieb Julio González Gil <jgonzalez@suse.com>:
I am pretty sure this was discussed in the past, and IIRC the conclusion was that this could be insecure, and that if the base OS doesn't trust a GPG (such is this case as SLE doesn't trust the GPG key for PackageHub by default: https://packagehub.suse.com/how-to-use/), then trusting it on clients should not be transparent for the Uyuni administrator as otherwise the administrator wouldn't notice what's going.
Actually I only agree partly with this conclusion. If a GPG-key is provided by Uyuni the client should trust him as Uyuni is not only a dumb repository mirror but is provided root-privilege via salt-scripts.
As this comes provided by SCC, the question is if SLE should trust this key by default. But that's not something Uyuni can fix on its side.
Certainly both are no acceptable approaches due to security reason.
Of course, with enough changes to the code, maybe Uyuni could assume that if a repository came from SCC the key must be accepted on reposync, and then it should the passed to the clients and trusted on the clients.
IMO it would be enough if any software channel has a place for its GPG-key and automatically deploys this key whenever a client gets subscribed to this channel. OK., this will cause some coding effort but if I look at the WebUI there already seem to be some fields referring to GPG-keys.
Same as above, yes. In this case it's the Uyuni Server the one that doesn't trust the key as it considers the package hub as a third party repository, just as SLE and openSUSE do.
From principle it is absolutely acceptable if I have to do some extra tasks to add 3rd-party repositories. My main problem was that I wasn't aware that PackageHub is a 3rd party repo. As Uyuni's WebUI PackageHub is part of the "Products" tree, I expected that all repositories that are shown under "Products" are trusted by default which means that their public keys are known by Uyuni's default setup. -- Gruss, Tobias Crefeld. xmpp (no email): crefeld@xabber.de -- To unsubscribe, e-mail: uyuni-users+unsubscribe@opensuse.org To contact the owner, e-mail: uyuni-users+owner@opensuse.org