[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Verifying authenticity of Community Repositories



nordi wrote:
> Marcus Meissner wrote:
>> Also, we will switch to per-project GPG keys in the future.
> Will this create some extra security? I see the digital signature as
> proof that the package was really produced by the build service and was
> not manipulated by a man in the middle.

But the fact that the package was produced by the BS doesn't tell you
much. There's no pre-checking review by the buildservice team, the
buildservice builds whatever the packagers upload, so you don't need a
man in the middle to add 'rm -rf /' to a package scriptlet in your home
project ;). Per-project keys will allow you to select projects (to which
only a group of packagers has access) you want trust, instead of "trust
everything that comes from the build service".

Michal
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx