On Sun, Jun 07, 2009 at 03:05:23PM -0700, Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key (build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build service repository has its own key
So any mirror would have it's own key?
No. Buildservice projects have their own keys. Mirrors just mirror our stuff and never have own keys.
and build@suse.de keys? If they are from mirror sites, would it be a major problem if the summary or build-host indicated the host it came from (FQDN, not localhost)"?
Having keys is excellent, but if I have duplicates and don't know one from another or where they came from, I can't really know what packages were signed against what key (all I likely would know is that they installed with a one of the above keys, but that doesnt' tell me if one of those 'build' keys was from: "susemirror.IwasHacked.org"... or where...?
Isn't it possible if a mirror site were hacked, someone could also install their own hacked 'gpg' key, with the same summary? Theoretically, that is...not that it is likely to happen...
No. Yast would ask for confirmation. There was a bug in 10.2 or 10.3 which imported keys multiple times, which would explain the multiple imports. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org