Mailinglist Archive: opensuse-security (33 mails)

< Previous Next >
[opensuse-security] Why no SSL for download.opensuse.org ?
We have learned how much effort governments take to control and monitor
the Internet. With this in regard, wouldn´t it make sense to switch
download.opensuse.org to SSL? I know, rpm packages are signed with
GnuPG, but if you add a new repo an attacker still is able to give you a
forged GnuPG key and a forged repo, not the repo you actually tried to
subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
middle attacks. I think SSL for download.opensuse.org would give more
safety to people living in authoritarian regimes who want to download
openSUSE software.

Malte

< Previous Next >