Am Fri, 24 Apr 2020 19:26:01 +0200
schrieb Julio González Gil <jgonzalez(a)suse.com>om>:
I am pretty sure this was discussed in the past, and
conclusion was that this could be insecure, and that if the base OS
doesn't trust a GPG (such is this case as SLE doesn't trust the GPG
key for PackageHub by default:
), then trusting it on clients
should not be transparent for the Uyuni administrator as otherwise
the administrator wouldn't notice what's going.
Actually I only agree partly with this conclusion.
If a GPG-key is provided by Uyuni the client should trust him as Uyuni
is not only a dumb repository mirror but is provided root-privilege
As this comes provided by SCC, the question is if SLE
this key by default. But that's not something Uyuni can fix on its
Certainly both are no acceptable approaches due to security reason.
Of course, with enough changes to the code, maybe
Uyuni could assume
that if a repository came from SCC the key must be accepted on
reposync, and then it should the passed to the clients and trusted on
IMO it would be enough if any software channel has a place for its
GPG-key and automatically deploys this key whenever a client gets
subscribed to this channel.
OK., this will cause some coding effort but if I look at the WebUI
there already seem to be some fields referring to GPG-keys.
Same as above, yes. In this case it's the Uyuni
Server the one that
doesn't trust the key as it considers the package hub as a third
party repository, just as SLE and openSUSE do.
From principle it is absolutely acceptable if I have to do some extra
tasks to add 3rd-party repositories.
My main problem was that I wasn't aware that PackageHub is a
3rd party repo. As Uyuni's WebUI PackageHub is part of the
"Products" tree, I expected that all repositories that are
shown under "Products" are trusted by default which means that their
public keys are known by Uyuni's default setup.
xmpp (no email): crefeld(a)xabber.de
To unsubscribe, e-mail: uyuni-users+unsubscribe(a)opensuse.org
To contact the owner, e-mail: uyuni-users+owner(a)opensuse.org