Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always". Oh well it's not a perfect world. However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc. For example, this HTTPS URL does NOT work: https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat... instead you have to use insecure HTTP: http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodata... Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves? With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org