Re: A repository changed its public key?

On 2008-01-23 11:31, houghi wrote:
Andreas wrote:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html

I recieved the email as well. I was just too lazy to look up the URL.
:-D

houghi

Trust is the key here, so who do we trust?
Since the beginning of free software and opensource, we have no reason
to not trust the good peoples that help us be happy, but now we also
have evil peoples that will kill free software and will do anything to
infiltrate the distributions if they can.

Since we must trust the distributor of our system, I should prefer that
they also update my system with the keys from the contributors they trust,
so I don't fall in the trap to trust a key from some false contributor.

I have not the skill to validate the keys, other then hope the site is intact
and the key is real.

Or, at least something as rpmkey.KDE_OBS.rpm on the main repository, and not only from the same site, even if it's unlikely someone can mirror it, hack the
code, sign everything with the false key and make us download from there.

I'm not paranoid , but if it's possible even if very hard, some one will for sure try some time.

Many users of linux is trained by the windows software where they learn to click on anything even if they have no chance to know what to answer.
Like the antivirus program say they have virus, and are asked if they will
remove it. (yes or no) , and they call me.
I ask them "what program ask that", and they say, "I don't know"
So, maybe it was the virus itself or the antivirus program, who know.

It must not be like this with keys, someone we trust must trust them first so
we don't get fooled so easy.

/bb
.

Relevant Pages

  • Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial
    ... > AND I've established a trust relationship with them, ... thusly gaining multiple weakly trusted keys in one whopping step. ... as opposed to installation which will happen with every new ... > than simply downloading packages directly from people's pages, ...
    (comp.lang.lisp)
  • Re: Resource Guarding
    ... But its an *excellent* manual for how to handle resource guarding in ... dogs. ... other, he learns to trust you, and you have a handle on his behavior. ... Under those conditions, you handed him the keys to shiny Corvette, ...
    (rec.pets.dogs.behavior)
  • Re: Web of Trust (a revolution)
    ... * Never trust this key. ... So you can't have a cert signed by multiple ... Ought to be possible for people to visit companies' offices and sign their keys, ... SSL keys, I mean, for services. ...
    (Fedora)
  • Re: Finger Crossing Good
    ... > component in a cipher system that one doesn't quite trust, ... If one doesn't trust the people who handle the keys, ... > untrusted person giving a key to an untrusted cryptomodule, ... > than just betray the keys he enters; ...
    (sci.crypt)
  • Re: trust issues associated with Public Key Infrastructure?
    ... how can you trust, that the public key you have really ... CAs could issue certificates without checking owner identity ... Private keys could be disclosed by accident or on purpose ... False certificates could be inserted into browsers ...
    (comp.security.misc)