Mailinglist Archive: opensuse-announce (19 mails)

< Previous Next >
[opensuse-announce] Build Service Repositories Get New GPG Keys
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Tue, 22 Jan 2008 22:45:03 +0100
  • Message-id: <200801222245.03673.adrian@xxxxxxx>

You wonder why zypper or YaST do ask you to accept new keys for
some repositories atm ?
Please read this mail in this case.

The repositories on opensuse.org below the

http://download.opensuse.org/repositories/

directory get currently new GPG keys which are use to sign the repository
meta data and the packages. The reason behind this is to increase the security
for you and your system. Repositories inside of this directory are created by
the openSUSE build service packagers. Everybody can go to

http://build.opensuse.org

and get at least an own home:<login> project where you can build and publish
packages. But also all other projects have different owners, this means
people who have write permissions there.

As a consequence of this openess of the build service, users should have
the possibility to decide whom to trust and whom not. This is easy possible
by adding or not adding/removing repositories.
However, rpm and package managers do use gpg keys to support users in this
approach. These tools use them to verify that a certain repository and each
package does indeed come from a certain person or group.

In the past, all build service repositories were signed with the same key.
This means that a user was able to allow or disallow repositories, but the
the tools did not help or even checked this. This approach was therefore not
save against attacks.

We use from now on own keys per top-level project. Users can decide to accept
certain keys or not. Packagers will get an API interface to manage these keys
in near future to some degree.

These keys are auto generated by the build service and report to come from

KDE OBS Project <KDE@xxxxxxxxxxxxxxxxxx>

or

home:adrianSuSE OBS Project <home:adrianSuSE@xxxxxxxxxxxxxxxxxx>

for example.

In case you are not sure, if you can trust a certain project, you should log
into the build service via

http://build.opensuse.org

and look at the list of persons who are part of this project. (Yes, a system
which makes this more transparent for the End User is in our plan).

I hope this helps
adrian

PS: There was a bug, which caused failures when using rpm checking a
signature. This will be solved by rebuilding these packages. YaST and zypper
are using gpg and had never this problem.

--

Adrian Schroeter
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-announce+help@xxxxxxxxxxxx

< Previous Next >