Mailinglist Archive: opensuse-buildservice (314 mails)

< Previous Next >
Re: [opensuse-buildservice] osc build & sign keys
  • From: Susanne Oberhauser <froh@xxxxxxxxxx>
  • Date: 26 Jan 2008 09:16:55 +0100
  • Message-id: <s2ihch1f1c8.fsf@xxxxxxxxxxxxx>
Marcus Rueckert <darix@xxxxxxxxx> writes:

On 2008-01-25 21:12:45 +0100, Susanne Oberhauser wrote:
Adrian Schröter <adrian@xxxxxxx> writes:

Is there an ETA when this is going to be fixed? I depend on it, because
I intented to work on the redirector this week... for which I need a
functional Apache and Apache:Modules project.

actually, I am not that sure that this should be changed.

How should an external see that this package was not build by this
project/person ?

I'd rather prefer the additional (aggregated) key to be distributed
via this project (aggregating the package).

Does the package management support several keys in one repo?

rpm does not support multiple sigs on one rpm.

a) I wouldn't put bets on that (I think it does, maybe buggy on and
off, but you can add multiple signatures and installation will
succeede if one of the key is in /bin/rpm's keyring)

b) I meant multiple keys in the _repo_, not the package, so hard links work:

I propose that an aggregated repo not only aggregates the the
packages but also hosts all keys used to sign these packages. the
project maintainer who does the aggregation claims these packages
are ok.

Now the Q is: is there a way that the user selects this repo and
YaST imports all the keys as trusted for rpms?

But hinking through it, alternatively, as rpm does support multiple
signatures on the same package, would it be ok if aggregaton adds a
blessing to the package and it gets dual signed in both repos? So I
think the following would do the trick too:

I alternatively propose that aggregation means blessing of a
package, so the package will be signed with the original repo's key
as well as with the aggregating repo's key.

In addition to maintaining 'hardlinkability' I think the semantics
are ok: you'd never aggregate a package that you don't trust. And
the other way 'round the additional signature in the other
repository won't harm, AFAICT it's sufficient to trust one of the
signatures to get a package installed so the aggregating signature
doesn't change anything.

Susanne Oberhauser +49-911-74053-574 SUSE -- a Novell Business
OPS Engineering Maxfeldstraße 5
Processes and Infrastructure Nürnberg
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >