Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: "Jonathon M. Robison" <jrobiso2@xxxxxxxxx>
  • Date: Fri, 18 Jul 2008 09:59:13 -0400
  • Message-id: <1216389554.4660.12.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
What about using wwwkeys.pgp.net? We'd get all the benefits - key
signing, etc.

Perhaps this should be looked at for 11.1, or .2?

Jonathon M. Robison

"There are 10 kinds of people in the world. Those who understand binary,
and those who don't"


On Fri, 2008-07-18 at 10:09 +0200, Ludwig Nussel wrote:
Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where
from is this key imported, from the repository itself, from a central
repo, or from the chain of HKP keyservers? Usually we simply click
"accept", as there is no clear method of checking, trusting, and importing
the key except by clicking "accept" when the repo is added.

The key is imported from the repo itself (repomd.xml.key). You are
right that there currently is no satisfactory way to initially
verify the key. A special view on build.opensuse.org could fix that
but is not there yet. :-(

Perhaps Yast, or zypper, should include a key management module.

We openened a feature request for that some time ago already but
it's not implemented yet.

cu
Ludwig

< Previous Next >
Follow Ups