Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Sun, 20 Jul 2008 12:33:25 +0200
  • Message-id: <20080720103325.GA31468@xxxxxxx>
On Sun, Jul 20, 2008 at 12:28:38PM +0200, Carlos E. R. wrote:

The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:

That said: There's nothing wrong with using a keyserver - however I
don't think that the signatures will be useful for YaST (except of the
build service root key).
Especially, I don't want to have all signing keys imported to my rpm
keyring (needed to verify the signatures) because this would also mean
that packages signed with these keys will be accepted...

I think a two-way solution would be the best:
- YaST downloads the keys from (or packman or
whatever repository you use)
- if someone wants to check a key more detailed, he can download him
from a keyserver, including all signatures and compare the fingerprint
with the fingerprint displayed by YaST.

The only disadvantage is that this method causes some manual work
(download the key from a keyserver and compare the fingerprint with the
one YaST displays). But security always has a price ;-)

I think that, when yast or zypper adds a repo that has a signature that is
not already imported, it should fire a new module that handles key
importing and signing. It could be from the existing key servers, or from
a specific key server at suse.

Or at least, an "add repo module", that could display more info, like a
description of the repo, list of persons responsible for it, signature
keys, software they maintain there, etc.

We are trying to do such a module/dialog, but so far we have not had good ideas
on how to do it.

Some kind of draft work would be welcome.

Ciao, Marcus
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups