[opensuse] Re: zypper: really no check for expiration of gpg keys?



Michael Schroeder wrote:
On Tue, Apr 13, 2010 at 12:16:29AM +0200, Joachim Schrod wrote:
Meta data in OBS repo-md repositories (i.e., repomd. is usually
signed with gpg. It seems that zypper does not check expiration of
used gpg keys. (zypper 1.0.13 on openSUSE 11.1, in case that matters.)

As an example:
http://download.opensuse.org/repositories/Apache:/MirrorBrain/Apache_openSUSE_11.1/
has a key that expired at April 1, 2010; i.e., 12 days ago. (The
key has ID 0xBD6D129A and fingerprint EDDD C98D 96A0 F889 9AB0 7C78
9584 A164 BD6D 129A.)

I would have expected a warning or an error when this repository is
refreshed, but nothing as such happens.

Same as with rpm ;-)

Good point; but actually I find check of repository meta-data
signatures even more important than rpm signatures. RPMs may be
validly older, since the software may have not changed for a long
time -- I do not expect that to happen for repository meta-data.

Joachim

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: jschrod@xxxxxxx
Roedermark, Germany

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages

  • Re: [opensuse] Package manager for command line?
    ... I know there are apt, smart, zypper and maybe even more. ... rpm will not download. ... I want to install packages by script. ...
    (SuSE)
  • Re: [opensuse] Zypper died suddenly!
    ... to the responses to my "Changing zypper command" message of last week. ... It *might* also indicate that 'libzypp' was updated - since that would have ... rpm -q libzypp ... Initially though, just try with zypper-.rpm, run the rpm command, ...
    (SuSE)
  • Re: [opensuse] packman off-line?
    ... Error message: Empty reply from server ... i've used "rpm --rebuilddb" before, when the rpm DB got messed up, usually because of a system crash due to power outage that the UPS didn't catch. ... and i'm still getting the same error when zypper tries to refresh the packman repo. ...
    (SuSE)
  • Re: [opensuse] Zypper Dup Failed : unpacking of archive failed: cpio: Bad magic
    ... zypper in rpm before the zypper dup. ... They have changed the rpm compression format. ... The following NEW package is going to be installed: ... with internet connection) or is there any problem with my installation ...
    (SuSE)
  • Re: [opensuse] Installing Virtual Box on 11.2
    ... This will install the downloaded RPM not the OSE version (as long as ... zypper at the RPM). ...
    (SuSE)