Web of trust

Posted Apr 20, 2009 8:37 UTC (Mon) by forthy (guest, #1525)
Parent article: Attacks on package managers

There's one missing piece here when signing packets, it's verifying the signature. I'm using OpenSuSE and several community repos, and all of them are signed (which is good). However, the keys themselves are not signed, and there's no obvious way to verify them; sometimes, the keys of a repository just change without explaining why. Please, SuSE guys, keys without a web of trust are of limited use - it can't be so difficult to get all those community repos maintainer together to a key signing party, e.g. on Linuxtag.