On 3/15/19 2:37 PM, Daniel Kahn Gillmor wrote: > On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote: >> # osc chroot >> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - >> abuild >> # gpgv >> -bash: gpgv: command not found > > That's surprising to me, but i'm ignorant about SUSE so you shouldn't be > surprised at my surprise :P > > How does this system cryptographically verify its software updates? or > is it never updated? or updated "from the outside" or something? There is a different service that checks for signatures and keyring files that come with a package. This happens at checkin phase or at some review phase (some automated review bot would then verify signature too before allowing to accept it into more important project). Of course, one could just not have any signature then it would just be skipped. The builds don't check this as once checked in, integrity is handled by OBS and most packages are not signed :( But when you checkout a package, you can at least verify things. OBS has backend called `signer`[2] that is responsible for signing RPMs and repository files (used by zypper, which is like apt) with a project specific key (you can configure your own key per project). The nice thing about OBS is that anyone can fork any project and add/update a package, make an image, and use that. Or pick software from various projects and OBS will rebuild things if build dependencies change. It builds Debian packages too [1], Fedora, whatever, although mostly it's used for SUSE/openSUSE projects. This is actually how SUSE makes products based on other products and things remain consistent. The weakest points of all these verifications are the upstreams. Many have no signatures at all. Clearly, notmuch is not the example here :D - Adam [1] https://build.opensuse.org/package/show/home:adamm/Nudoku [2] https://build.opensuse.org/monitor _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch