https://bugzilla.novell.com/show_bug.cgi?id=381731
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c15
--- Comment #15 from Christian Boltz
We can force people to get the KEYS file and .asc files always from the origin site, and not from mirrors, by simply excluding them from our rsync modules, so that they are not mirrored.
I'm not sure if this is a good idea - it might cause some confusion ("huh? where are the GPG signatures?") and problems, for example for people downloading from a mirror using rsync or FTP (they will have to start a separate download for the .asc files). OTOH, downloading the .asc files from another server is not a problem as long as people download the keys from a trusted location. If someone really changed the .asc file, gpg will warn about it. You can (and should) exclude the KEYS and .asc files from redirection on download.opensuse.org through. You should also make sure that the keys are signed by some trusted keys (like the security team key) so that users can easily check if the key is the "real" one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.