We are currently betatesting a security improvement on our download repositories.
As you probably know http://download.opensuse.org/ is our main download redirector
for openSUSE both the distribution and the buildservice, that redirects requests
to the mirrors that host openSUSE repositories.
How are those secured?
If a YUM repositories is added to your machine, the imported GPG key it is signed with
will ensure the trust of those repositories and imported into your RPM database.
This GPG key signs the repomd.xml file with YUM, and the YUM XML metadata in turn chains
together SHA256 hashes for all the metadata and packages in the repository.
openSUSE already imports the GPG key for the base distribution repositories
and update repositories during installation of the system.
The various home and other project repositories however only get added later and as they
have different GPG keys the verification of those is a challenge.
The import of those keys so far was unsafe, as you could only check the GPG key by
directly accessing them via the open buildservice, with e.g.:
"osc signkey Emulators"
Starting last week, the download.opensuse.org redirector now also supports "https",
relying on the SSL Root CA infrastructure for some added safety.
We are phasing this in slowly as we have concerns about load of the download.opensuse.org