Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
  • From: Claudio Freire <klaussfreire@xxxxxxxxx>
  • Date: Tue, 17 Jul 2012 19:18:02 -0300
  • Message-id: <CAGTBQpaign=OCHeM37wM0BqY7s65WdgLTpzs4=bpJQMMTGAOsA@mail.gmail.com>
On Tue, Jul 17, 2012 at 7:10 PM, Marcus Hüwe <suse-tux@xxxxxx> wrote:
Well it's rather an issue with the current workflow:
- ask user if he "trusts" the project(s)
- download the pubkey(s) from the api
- check gpg signature of the packages

It's not as flawed.

Once osc has installed the gpg key, it becomes really hard to thwart
the process. However, with mere hashes, every time a download takes
place is an opportunity to do it.

The improvement is nonexistent in theory, but in practice it does
help. Besides, users could install the key manually, from a trusted
source. That would be the case of appliances, for instance.
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >