On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".
Oh well it's not a perfect world.
However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.
For example, this HTTPS URL does NOT work:
https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key
instead you have to use insecure HTTP:
http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key
Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?
With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.
-Archie
even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https. What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org