http://bugzilla.opensuse.org/show_bug.cgi?id=461957
http://bugzilla.opensuse.org/show_bug.cgi?id=461957#c6
Andreas Stieger
And of course, keys must be signed by a master key, forming a web of trust.
Being signed by a master key does NOT create a web of trust. In other words, how do you know that you can trust the particular master key you have been shown? (Hint: it's not HTTPS). Also note that the underlying package manager rpm has the restriction that the keys are one-for-all, meaning all keys imported into the rpm database will be sufficient for ALL packages, regardless of their source.' I talked to the libzypp maintainer about this and we may come up with a meaningful proposal on this. -- You are receiving this mail because: You are on the CC list for the bug.