Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Fri, 18 Jul 2008 10:09:40 +0200
  • Message-id: <200807181009.41155.ludwig.nussel@xxxxxxx>
Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where
from is this key imported, from the repository itself, from a central
repo, or from the chain of HKP keyservers? Usually we simply click
"accept", as there is no clear method of checking, trusting, and importing
the key except by clicking "accept" when the repo is added.

The key is imported from the repo itself (repomd.xml.key). You are
right that there currently is no satisfactory way to initially
verify the key. A special view on build.opensuse.org could fix that
but is not there yet. :-(

Perhaps Yast, or zypper, should include a key management module.

We openened a feature request for that some time ago already but
it's not implemented yet.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
References