https enablement of

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

https enablement of

Marcus Meissner
Hi folks,

We are currently betatesting a security improvement on our download repositories.

As you probably know is our main download redirector
for openSUSE both the distribution and the buildservice, that redirects requests
to the mirrors that host openSUSE repositories.

How are those secured?

If a YUM repositories is added to your machine, the imported GPG key it is signed with
will ensure the trust of those repositories and imported into your RPM database.

This GPG key signs the repomd.xml file with YUM, and the YUM XML metadata in turn chains
together SHA256 hashes for all the metadata and packages in the repository.

openSUSE already imports the GPG key for the base distribution repositories
and update repositories during installation of the system.

The various home and other project repositories however only get added later and as they
have different GPG keys the verification of those is a challenge.

The import of those keys so far was unsafe, as you could only check the GPG key by
directly accessing them via the open buildservice, with e.g.:

        "osc signkey Emulators"

Starting last week, the redirector now also supports "https",
relying on the SSL Root CA infrastructure for some added safety.

We are phasing this in slowly as we have concerns about load of the


If you want to try, you can replace the URLs by
in the repositories.

In the near future will follow and also deliver https URLs.

Ciao, Marcus
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]