Bug 197496

Summary: import untrusted GnuPG key for yast online update source
Product: [openSUSE] openSUSE 10.2 Reporter: michel munnix <michel.munnix>
Component: YaST2Assignee: Harald Mueller-Ney <hmuelle>
Status: RESOLVED FIXED QA Contact: Stanislav Visnovsky <visnov>
Severity: Normal    
Priority: P5 - None CC: andreas.hanke, suse-beta
Version: Alpha 2   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description michel munnix 2006-08-06 18:19:19 UTC 
while doing the registration step, I was prompted to accept or refuse the import of an untrusted GnuPG key which I accepted to test:
2006-08-06 18:57:33 <1> linux-xzx1(4255) [zypp::KeyRing] KeyRing.cc(publicKeys):454 Found key [481CD492E72FD5C5] [Harald Müller-Ney (New private eMail address) <harald@mueller-ney.de>] [62A3D6A220CB039E15A2E9FA481CD492E72FD5C5]
The update source was ftp.leo.org:
2006-08-06 18:57:33 <0> linux-xzx1(4255) [media] MediaManager.cc(checkDesired):114 checkDesired(7): desired (cached)
2006-08-06 18:57:33 <0> linux-xzx1(4255) [media] MediaCurl.cc(doGetFileCopy):696 /repodata/filelists.xml.gz
2006-08-06 18:57:33 <0> linux-xzx1(4255) [media] MediaCurl.cc(doGetFileCopy):729 URL: http://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/upda
te/10.1.42/repodata/filelists.xml.gz
In my understanding, this is not an error in YaST, it's the online update repository which is'nt correctly signed
Comment 1 Michael Gross 2006-08-07 13:08:06 UTC 
Harald, can you add a comment, please?
If you think this is solely YaST stuff assign it back to the screening team ;)
Comment 2 Harald Mueller-Ney 2006-08-21 10:19:11 UTC 
This the update repo of 10.1.42 (upcoming openSUSE) is an empty repomd and really signed with my key.

We changed this now to use the official SUSE Build Key.