Home_greyopenFATE - openSUSE feature tracking > #312047
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

make repo keys available on project's web site via SSL

Feature state

Buildservice
Done

Description

I was thinking of a way to get repo keys to users in a secure fashion, so they can have some measure of trust, instead of just blindly accepting/importing new keys when installing software.
Personally, before accepting a key, I will usually try to google it by ID or fingerprint, search various gpg key servers, ask on a mailing list or newsgroup for 3rd party verification, etc... its a pain in the ***.

So I see that the buildservice provides a https interface to project pages. It would be a nice feature to provide the project repo keys there. At least show ID and fingerprint.

Discussion


icons/user_comment.png N. S. wrote: (6 years ago)

we need this for atleast comunity repos

icons/user_comment.png t. t. wrote: (6 years ago)

currently without openSUSE public key it's not possible to verify distribution ISO. it's better to have official source than searching for the key on third-party servers

icons/user_comment.png R. M. wrote: (6 years ago)

It is possible to verify ISO files using md5 or sha256 checksum and gpg key. No one is storing own keys on a third party servers.

For instance:
http://download.opensuse.org/distribution/12.1/iso/ contains files ending with .asc (gpg signature), .md5 (md5 checksum), and .sha256 (sha256 checksum), for each iso file.

Browsing any other release you can find there, you can see that each has a similar way to verify downloads without looking around the Internet for keys.

In the time people have access to app stores for smartphones, that is not the most comfortable way to assure download integrity, but it is still dependable and fit good into distribution model.

icons/user_comment.png C. C. wrote: (6 years ago)

Since years I am trying to convince O.P.s coming from the windows world to adopt a safe behavior during program install, to use software only from trusted sources and to use Gpg encryption in their email exchange. And then, every time the same situation, users are instructed to "just ignore and click away" the fingerprint info of the keys of the repos. This is really counterproductive and is mining the heard of a work of educating users for a better and safer behavior.
Please make this available. It will highlight the competitive advantage of the repo system and of openSUSE as a security aware and oriented distribution. Thank you.

icons/user_comment.png C. C. wrote: (6 years ago)

Since years I am trying to convince O.P.s coming from the windows world to adopt a safe behavior during program install, to use software only from trusted sources and to use Gpg encryption in their email exchange. And then, every time the same situation, users are instructed to "just ignore and click away" the fingerprint info of the keys of the repos. This is really counterproductive and is mining the heart of a work of educating users for a better and safer behavior.
Please make this available. It will highlight the competitive advantage of the repo system and of openSUSE as a security aware and oriented distribution. Thank you.

icons/user_comment.png N. U. wrote: (6 years ago)

The security properties of the HTTPS PKI infrastructure are less than desirable. For the latest example, see Mozilla 724929 - Remove Trustwave Certificate(s) from trusted root certificates

https://bugzilla.mozilla.org/show_bug.cgi?id=724929

In general, though, I do agree that openSUSE should distribute repo keys to users with as much assurance as reasonably practicable.

icons/user_comment.png S. S. wrote: (6 years ago)

Correct, there are the optimists of CAcert that think they can overcome this (see FOSEM "trust the root of evil?"), but the case you cited is absolutely eloquent. That leaves us with the problem of where to create a register of repo keys and I think that an https page, is better then the current situation (that is: nothing).
IMO one ideal means is printed media. While books are too rare and need too long to come out, promotional DVDs could bear inside the cover the current repo keys for reference. This would come not really at a big additional cost AFAIK (but of course I can be wrong). It could also be an asset to convince journals (paper edition) to reserve a footnote reporting the fingerprints when i.e. giving an article on a new release. As this would be also an educational effect, they may be willing to do so. At FOSDEM and other presences of openSUSE a flier with official set of ID/fingerprints could be offered. But I am afraid about the cost factor involved.
For all these reasons (especially cost) HTTPS continues to be in my eyes a quite desirable alternative (easy to update, safer than just clicking away and at the end one step in the right direction).

icons/user_comment.png c. c. wrote: (5 years ago)

We definitely need this one.

icons/user_comment.png D. M. wrote: (5 years ago)

In the first instance it would be good to add simple(ish) instructions or a link to the download page to explain what commands need to be used with gpg to perform the verify.

icons/user_comment.png K. C. wrote: (7 weeks ago)

Keys for OBS projects are available on build.opensuse.org, and link to official build key is now available at software.opensuse.org.

Last change: 7 weeks ago
Voting
Score: 76
  • Negative: 0
  • Neutral: 2
  • Positive: 76
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint