[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-security
Subject:    Re: [opensuse-security] Doubt on the security model of OBS repo signing
From:       Marcus Meissner <meissner () suse ! de>
Date:       2017-09-18 14:30:09
Message-ID: 20170918143009.GH20077 () suse ! de
[Download RAW message or body]

Hi,
On Thu, Sep 14, 2017 at 12:12:34AM +0800, star@aosc.io wrote:
> On 2017-09-13 23:26, Marcus Meissner wrote:
> >Hi,
> >
> >Thank you for your long and detailed E-Mail!
> 
> I'm really sorry for having written too much.

No problem, that was fine :)

> Here's a short summary for other readers who don't want to read the previous
> mail:
> The GPG keys for OBS are delivered in plain HTTP and require manual check,
> which could be improved.
> 
> >We have a while ago enabled https support on download.opensuse.org and
> >the next step is what you suggest in "Step 3" for us, namely changing
> >software.opensuse.org to deliver https instead of http URLs.
> >
> >(I had opened https://github.com/openSUSE/software-o-o/issues/123 a while
> >ago
> >and sent a pull request after receiving your e-mail.)
> >
> >The GPG chain of trust model is tricky for package management and we have
> >been reviewing improvements on that on or off, there likely is work to do.
> 
> Thank you for your efforts on making openSUSE better!
> 
> By the way, have you considered those 2 other suggestions? (embedding GPG
> into ymp file, displaying GPG key in OBS project page)
> Embedding the key also opens an opportunity for 3rd-party commercial
> software repo, so they don't need a separate "rpm --import".

So far we did not consider embedding GPG keys into the YMP themselves,
this is a nice idea.

The OBS project page does only show it occasionaly as you wrote, so this could be improved more.

This is a bigger topic where we need to do more reviews and research and also
design how to best integrate it into the package management tools. :/

Ciao, Marcus
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]