Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Sun, 20 Jul 2008 12:28:38 +0200 (CEST)
  • Message-id: <alpine.LSU.1.00.0807201221150.12808@xxxxxxxxxxxxxxxx>
Hash: SHA1

The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:

That said: There's nothing wrong with using a keyserver - however I
don't think that the signatures will be useful for YaST (except of the
build service root key).
Especially, I don't want to have all signing keys imported to my rpm
keyring (needed to verify the signatures) because this would also mean
that packages signed with these keys will be accepted...

I think a two-way solution would be the best:
- YaST downloads the keys from (or packman or
whatever repository you use)
- if someone wants to check a key more detailed, he can download him
from a keyserver, including all signatures and compare the fingerprint
with the fingerprint displayed by YaST.

The only disadvantage is that this method causes some manual work
(download the key from a keyserver and compare the fingerprint with the
one YaST displays). But security always has a price ;-)

I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse.

Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.

- -- Cheers,
Carlos E. R.

Version: GnuPG v2.0.4-svn0 (GNU/Linux)

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups