-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted...
I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST.
The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-)
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse. Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIgxNZtTMYHG2NR9URAubDAJ9PLUCUwJQXq3Hm9HwGPkLDEm9WawCeO52F fLt0GRWYJYDVgolmWKOU6zs= =a1Y+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org