On 2013-02-25 11:06, licehunter wrote:
>
> I came here with the same question as the OP and still I am none the
> wiser.
>
> For posterity's sake though, I will mention that on running software
> update on 12.2, it is asking me if I trust the key "B88B2FD43DBDC284". A
> Google search reveals that that key has been in use since at least 2010
> by OpenSUSE. It could of course just mean that it has been compromised
> for a long time, but if so I have lived with that for the last three
> years to no ill effect that I could see, so I'll just have to trust it.
> Still, be better if we had a proper trust system.


Well, the way to check a key is not google, but the gpg tools. You can
use kleopatra on kde or seahorse on gnome, or plain CLI. Ah, thunderbird
also has a good iinternal tool. Then you can see if the key is signed by
someone in your chain of trust, and its validity.

For example, if the key was compromised, it should have been revoked and
would show there.

In my system, that particular key shows as trusted because it has been
signed by people I trusted, probably because it came included in the DVD
gpg chain.


--
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 "Asparagus" at Telcontar)