Mailinglist Archive: opensuse-security (33 mails)

< Previous Next >
Re: [opensuse-security] Why no SSL for ?
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Sun, 7 Jul 2013 22:25:37 +0200 (CEST)
  • Message-id: <alpine.LNX.2.00.1307072209040.6576@Telcontar.valinor>
Hash: SHA1

Content-ID: <alpine.LNX.2.00.1307072224400.6576@Telcontar.valinor>

On Saturday, 2013-07-06 at 10:34 +0200, Malte Gell wrote:

We have learned how much effort governments take to control and monitor
the Internet. With this in regard, wouldn´t it make sense to switch to SSL? I know, rpm packages are signed with
GnuPG, but if you add a new repo an attacker still is able to give you a
forged GnuPG key and a forged repo, not the repo you actually tried to
subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
middle attacks. I think SSL for would give more
safety to people living in authoritarian regimes who want to download
openSUSE software.

Not practical.

Most of the downloads do not come from, but from mirrors all over the world. The certificate would apply to, whereas the actual download might be comming from anywhere ( is a redirector); meaning they would not match and the connection would be invalidated.

To do this you would force all mirrors to provide ssl with the proper certificate (which costs money). Or would have to act as certification authority.

What you need instead is convincing openSUSE to apply a good security policy to the GnuPG signatures used.

For example, view this thread for more info: <>

or vote:

make repo keys available on project's web site via SSL

or more info:


- -- Cheers,
Carlos E. R.
(from 12.3 x86_64 "Dartmouth" at Telcontar)
Version: GnuPG v2.0.19 (GNU/Linux)

< Previous Next >