REPO SECURITY - Unsigned repomd.xml

OpenSUSE 11.0

Minor panic here :frowning:

Running zypper refresh is throwing up errors on KDE4:Community,
KDE3:Community and Emulators:Wine repos saying that repomd.xml is unsigned
in each of these cases.
At the moment I’m holding off updating my system until someone can help me
or assure me that these repos are Ok.

  • The repo names above may not be the ones assigned by default as I use
    rsync to make local copies of these repos and then use nfs to make them
    available to my local machines and to make use of free download bandwidth
    overnight from my ISP.
  • the rsync script runs against ftp5.gwgd.de server.

What’s the situation here?
Can I trust these repos or not?

Alan

Hi,

Fudokai wrote:
> OpenSUSE 11.0

> Running zypper refresh is throwing up errors on KDE4:Community,
> KDE3:Community and Emulators:Wine repos saying that repomd.xml is unsigned
> in each of these cases.

The openSUSE Build Server apparently has temporary problems with the
signing host. It used to block builds an may now have been disabled for
the time being.

Kind regards,
Andreas Stieger

Andreas Stieger wrote:

> Hi,
>
> Fudokai wrote:
>> OpenSUSE 11.0
>
>> Running zypper refresh is throwing up errors on KDE4:Community,
>> KDE3:Community and Emulators:Wine repos saying that repomd.xml is
>> unsigned in each of these cases.
>
> The openSUSE Build Server apparently has temporary problems with the
> signing host. It used to block builds an may now have been disabled for
> the time being.
>
> Kind regards,
> Andreas Stieger

Thanks for the prompt reply but there’s still the question of whether I can
trust them or not :wink:

PS I’ve just seen a similar posting on another ng (alt.os.linux.suse) so I’m
not on my own

Alan

Hi,

Fudokai wrote:
> Andreas Stieger wrote:
>> Fudokai wrote:
[repomd.xml is unsigned]
>> The openSUSE Build Server apparently has temporary problems with the
>> signing host. It used to block builds an may now have been disabled for
>> the time being.
>
> Thanks for the prompt reply but there’s still the question of whether I can
> trust them or not :wink:

You can trust them just as much as when you accepted and imported a key
you didn’t verify at all when first adding the repositories.

> PS I’ve just seen a similar posting on another ng (alt.os.linux.suse) so I’m
> not on my own

You may want to tell them, too.

Kind regards,
Andreas Stieger

Andreas Stieger wrote:

> Hi,
>
> Fudokai wrote:
>> Andreas Stieger wrote:
>>> Fudokai wrote:
> [repomd.xml is unsigned]
>>> The openSUSE Build Server apparently has temporary problems with the
>>> signing host. It used to block builds an may now have been disabled for
>>> the time being.
>>
>> Thanks for the prompt reply but there’s still the question of whether I
>> can trust them or not :wink:
>
> You can trust them just as much as when you accepted and imported a key
> you didn’t verify at all when first adding the repositories.

fair comment :wink:

>
>> PS I’ve just seen a similar posting on another ng (alt.os.linux.suse) so
>> I’m not on my own
>
> You may want to tell them, too.

I’ve passed the new on

>
> Kind regards,
> Andreas Stieger

After all that the package I was after (debuginfo for kde4 kwin) doesn’t
exist - at least not on the repos I’m checking.
I’ve had kwin crash a couple of times and can’t get a valid backtrace to
submit a good bug report :frowning:

Alan