I’ve been using the OpenOffice.org STABLE repository since I installed OpenSuse a few weeks ago. Now all of a sudden, when I open the Software Manager, it asks me to import the key, even though I imported it when I added the repository originally. All the other repostories refresh normally. Has the key changed? Or has the repository been hacked? How are we to know when it’s safe to import a new key? Presumably the trusted key thing isn’t meant to change ever, or it would defeat the point!
It looks like they were making changes on the repo earlier today. Try later or tomorrow and see if your still asked to import the key.
I just imported the key and got a bunch of updates to open office (3.1.1). Every thing is fine.
I’m tempted to just do that, but it worries me if I’m expected to just accept keys that change with no information on why. I thought the whole point was to prevent people hacking in and changing things without people finding out? Is there any information anywhere on when repositories get changed or have signatures changed? I was just thinking back to Fedora that had to change all their keys last year because somebody broke into the server rooms (or something).
Where you see the information about new key, it says the key is issued by open office.org. That is why I trusted and imported it.
Of course, it is your choice, if you want to be cautious.
Sounds fair enough actually. And of course, I blindly trusted it in the first place!
Well, anyone can write he issued the new key. There should be some kind of an announcement on the web containing the fingerprint, otherwise the key is not trustful.