Mailinglist Archive: opensuse-buildservice (266 mails)

< Previous Next >
Re: [opensuse-buildservice] obs-service-gpg-offline
Michal Vyskocil wrote:

To me it seems that the biggest issue in current implementation is how
we can ensure the .keyring validity if package can put and submit what
he wants to.

So what about to create some dedicated (open)SUSE GPG key and put all
verified GPG ids into it's web of trust? Then all we need is to verify
if package is signed by this key and if so, then it's a trusted keyring.

Well, suppose we have an "openSUSE signing key" and all signing keys of
packages have to be in the web of trust.

Would it be a real security benefit?

If somebody writes to openSUSE signing key maintainer: Please sign
2753E77A, I need it for smartmontools. Signing key maintainer would have
to ultimately trust the package maintainer.

Would the key maintainer sign 2753E77A directly? But the key maintainer
has only second-hand information about 2753E77A.

Or would the key maintainer sign the openSUSE developer's key and
openSUSE developer will sign the upstream signing key? But then we would
trust more than we want.

Or would we require both? Only trusted developers would be able to ask
for adding key to web of trust?

Well, even worse. What if author of the-tiny-game-0.1.tar.gz.asc would
try to submit httpd-2.4.3.tar.bz2.asc signed by his key. Signature check
will pass!

Best Regards / S pozdravem,

Stanislav Brabec
software developer
SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxx
Lihovarská 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 028 951
Czech Republic

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups