Mailinglist Archive: opensuse-buildservice (266 mails)

< Previous Next >
Re: [opensuse-buildservice] obs-service-gpg-offline
On Tue, Jan 08, 2013 at 04:43:02PM +0100, Stanislav Brabec wrote:
Michal Vyskocil wrote:

To me it seems that the biggest issue in current implementation is how
we can ensure the .keyring validity if package can put and submit what
he wants to.

So what about to create some dedicated (open)SUSE GPG key and put all
verified GPG ids into it's web of trust? Then all we need is to verify
if package is signed by this key and if so, then it's a trusted keyring.

Well, suppose we have an "openSUSE signing key" and all signing keys of
packages have to be in the web of trust.

Would it be a real security benefit?

If somebody writes to openSUSE signing key maintainer: Please sign
2753E77A, I need it for smartmontools. Signing key maintainer would have
to ultimately trust the package maintainer.

Would the key maintainer sign 2753E77A directly? But the key maintainer
has only second-hand information about 2753E77A.

Or would the key maintainer sign the openSUSE developer's key and
openSUSE developer will sign the upstream signing key? But then we would
trust more than we want.

Or would we require both? Only trusted developers would be able to ask
for adding key to web of trust?

Well, even worse. What if author of the-tiny-game-0.1.tar.gz.asc would
try to submit httpd-2.4.3.tar.bz2.asc signed by his key. Signature check
will pass!

Well, noone said that in web of trust model won't check the .keyring
changes. But it was just an idea, I would say that a current incarnation
is secure and flexible enough.

Michal Vyskocil
< Previous Next >
Follow Ups