[opensuse-security] Doubt on the security model of OBS repo signing