[Xapian-discuss] How can I trust the xapian openSUSE packages?

Gregor Schmid gschmidx at qfs.de
Mon Nov 19 17:58:47 GMT 2007


Hi,

sorry to bother you with this, but I couldn't find a satisfying answer
to the question at openSUSE or in the xapian mailing list archives.

In short, I need to convince our provider to install the SUSE xapian
packages on the server on which they are hosting our website as well
as those of other customers. Due to that they are very concerned about
security.

The SUSE RPMs for xapian are provided on the openSUSE build service
and though I'm pretty sure that they were placed there by some of the
xapian developers, it is not clear how our provider can verify that.
On the Build Service website there is talk about a trust relationship
and a rating mechanism, but none of this seems to be implemented.

If whoever is making the SUSE RPMs available reads this message, can
you please explain whether there is any mechanism in place that
ensures that those packages come from you and not from any potentially
malicious user that creates an account at the SUSE Build Service?

If there's no such mechanism, would it possible for you to assist
verification by, for example, publishing an MD5 hash for the latest
packages on the xapian.org website? Our provider would be willing to
trust a package downloaded directly from the authors, i.e.
www.xapian.org and posting such a hash for externally provided
packages could create the same level of trust for those.

Ideas, alternative suggestions, fedback from other users of the xapian
SUSE RPMs etc. would be greatly appreciated.

Best regards,
    Greg



More information about the Xapian-discuss mailing list