When I add a repository, for example, a community repository, if I wish to add the repository, I seem to have to accept a GnuPG key with no visibility on whether or not the key is valid. The key is described by YAST as “unknown”. Is there some place where I can download a file containing a set of known keys, and find a “check sum”, or other validation for that file, so I can be sure that the list of known keys is genuine?
No you can’t. Currently this is tedious and not reliable. It is a question that comes back over and over and has induced me to integrate in my signature the feature as of below.
We are now 37 who have voted for it. Once we arrive at at least a 100 votes, I promise to push this further personally for whatever it takes. If you think about it, 100 votes in a site like this is nothing. However it seems that the vast majority of users “have nothing to hide”, nor have they to fear malware and fraud. So they are just doing like usually “click” away and (apparently) all the sorrows are gone. This repeats all over with all updates of community repo signatures and with all people joining a repo (without knowing if if is a real one).
So, no, currently there is no easy (IMO there is not even a reasonably feasible) way to know if the signature is good. But you can do something:
you vote for the feature in my signature on the openFATE site (and we get to a bold 38 votes) and
b) - after having read and understood what is asked for and if agreeing with it as I think you will do - you make my signature yours and thus heighten the visibility and the votes for that feature.
BTW: this is not an initiative of mine, but of an other (in my view intelligent) user. So I have no other interest in that then to be able to tell to the people I help with the installation, how they can have a safer system and to respect a safe behavior and by the same token I do have the hope, that I will know one day, what kind of repo I am adding if I have to, a reliable one…or not.
I support Stakanov. It is simple, why do we have signatures that nobody can check? It is spoofing.
Yes I think also
the feature openFATE #312047 make repo keys available on project’s web site via SSL
would really be a step in the right direction.
Martin
On 02/24/2012 11:26 AM, pistazienfresser wrote:
> Yes I think also
me three.
–
DD
What does DistroWatch write about YOU?: http://tinyurl.com/SUSEonDW
On 2012-02-24 04:16, toes wrote:
>
> When I add a repository, for example, a community repository, if I wish
> to add the repository, I seem to have to accept a GnuPG key with no
> visibility on whether or not the key is valid. The key is described by
> YAST as “unknown”. Is there some place where I can download a file
> containing a set of known keys, and find a “check sum”, or other
> validation for that file, so I can be sure that the list of known keys
> is genuine?
No, there is not.
There are some keys that comes in the DVD, I think those of the default
repos, and the keys the security team use to sign mails and perhaps of some
people (I do not know for certain which). It is possible that some repo
keys are signed by other people or repo maintainers, BUT yast doesn’t
provide any manner of key checking. There is no web of trust.
In theory, the keys could serve to know if a repo is suddenly changed or
supplanted. But, the fact is that when the key is replaced or updated for a
bonafide reason we have no alternative but accepting it… no real
checking. We can not distinguish if the key was changed by its owner or by
a supplanter.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2012-02-24 08:46, stakanov wrote:
> you vote for the ‘feature’ (https://features.opensuse.org/312047) in my
> signature on the openFATE site (and we get to a bold 38 votes) and
> b) - after having read and understood what is asked for and if agreeing
> with it as I think you will do - you make my signature yours and thus
> heighten the visibility and the votes for that feature.
Also there is need for something in YaST to manage keys and check the web
of trust of the rpm and repo keys.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 02/24/2012 02:03 PM, Carlos E. R. wrote:
> No, there is not.
so, did/do you also support the FATE?
and, should the “something in YaST to manage keys and check the web
of trust of the rpm and repo keys.” be added to the FATE, or listed in a
new one?
and, maybe this a a good google summer of code project…or is there
some other way to get some attention on this prior to waiting for enough
folks to push it high enough to get noticed?
–
DD
What does DistroWatch write about YOU?: http://tinyurl.com/SUSEonDW
Thank you Carlos, I think this was well seen. Yes a key management facility in YAST and a warning when keys are not trustworthy should be in place definitely.
I am supporting the feature in signature (and AFAIK) you did vote it already, because I know that resources are scarce but I do know that this is something that could be done in short term.
I belief that the problem with YAST is that the code is quite “historical”, maybe it is difficult to start repair and add bits and pieces in a very old building?
But the idea you brought up is excellent (@Denver) and by the way to propose a project or a Google Summer of code is even better. I am very happy to see people being thoughtful and insightful on this. Makes one feel better.
Have a good day, both of you.
On 2012-02-24 17:05, DenverD wrote:
> On 02/24/2012 02:03 PM, Carlos E. R. wrote:
>> No, there is not.
>
> so, did/do you also support the FATE?
I did, time ago. I wasn’t very convinced, but it is much better than what
we have currently, so I voted it.
> and, should the “something in YaST to manage keys and check the web
> of trust of the rpm and repo keys.” be added to the FATE, or listed in a
> new one?
I proposed that in one of the mail lists, and devs said “no”.
> and, maybe this a a good google summer of code project…or is there some
> other way to get some attention on this prior to waiting for enough folks
> to push it high enough to get noticed?
Dunno.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
> I proposed that in one of the mail lists, and devs said “no”.
no for a good reason or ??
–
DD
What does DistroWatch write about YOU?: http://tinyurl.com/SUSEonDW
On 2012-02-25 02:02, DenverD wrote:
>> I proposed that in one of the mail lists, and devs said “no”.
>
> no for a good reason or ??
I don’t remember that part 
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)