Re: trust update servers?
- From: birre <spamtrap@xxxxxxxxxxxx>
- Date: Fri, 28 Sep 2007 11:23:43 +0200
On 2007-09-28 09:29, houghi wrote:
David Bolt wrote:To check it, all you need to do is import it into your own GPG key-ring.
If/when you do, you should see something like this:
davjam@adder:/local/temp> gpg --import gpg-pubkey-9c800aca-40d8063e.asc
gpg: key 9C800ACA: "SuSE Package Signing Key <build@xxxxxxx>" 2 new signatures
gpg: Total number processed: 1
gpg: new signatures: 2
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
I can make a key that says identiefies itself with the same, so you are
missing a step. However it is very unlikely that a mirror will do
something like that.
houghi
But this _CAN_ happen one day, so importing the key from the mirror is
not the best thing to do. (even if we do it all the time)
The keys should be added from another server,
that can't be hacked at the same time, or at least a fingerprint check.
This is something that maybe need to be added to some security checker.
/bb
.
- Follow-Ups:
- Re: trust update servers?
- From: David Bolt
- Re: trust update servers?
- References:
- trust update servers?
- From: takeout
- Re: trust update servers?
- From: David Bolt
- Re: trust update servers?
- From: houghi
- trust update servers?
- Prev by Date: Re: Yast Power Management now in 10.2 not supported in 10.3
- Next by Date: Re: Unable to insmod k8temp - help...
- Previous by thread: Re: trust update servers?
- Next by thread: Re: trust update servers?
- Index(es):
Relevant Pages
|
