Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: Christian Boltz <suse-security@xxxxxxxxx>
  • Date: Sat, 19 Jul 2008 00:18:45 +0200
  • Message-id: <200807190018.48280@xxxxxxxxxxxxxxx>
Hello,

Am Freitag, 18. Juli 2008 schrieb Jonathon M. Robison:
What about using wwwkeys.pgp.net? We'd get all the benefits - key
signing, etc.

Quoting http://wiki.linuxtag.org/w/Keysigning

The only keyservers you should use are either subkeys.pgp.net or
random.sks.keyserver.penguin.de, if you insist. Any of the
keyservers in these clusters are fine.

Please do not use other keyservers, like keyserver.net or
wwwkeys.pgp.net: They all mangle keys in various ways including, but
not limited to: dropping subkeys, moving binding sigs around between
subkeys, duplicating user ids, modifying signature subpackets
(dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA
keys), rejecting keys with attribute UIDs (such as photo ids), or
they don't sync with the rest of the network.

That said: There's nothing wrong with using a keyserver - however I
don't think that the signatures will be useful for YaST (except of the
build service root key).
Especially, I don't want to have all signing keys imported to my rpm
keyring (needed to verify the signatures) because this would also mean
that packages signed with these keys will be accepted...

I think a two-way solution would be the best:
- YaST downloads the keys from download.opensuse.org (or packman or
whatever repository you use)
- if someone wants to check a key more detailed, he can download him
from a keyserver, including all signatures and compare the fingerprint
with the fingerprint displayed by YaST.

The only disadvantage is that this method causes some manual work
(download the key from a keyserver and compare the fingerprint with the
one YaST displays). But security always has a price ;-)


Regards,

Christian Boltz
--
[...] if the installation of a stupid package failed, [...]
AFAIK there is no package named `stupid'.
[> Raphael Schillings and Michael Gross in
https://bugzilla.novell.com/show_bug.cgi?id=147588]
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups