[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checking signatures on source tarballs
|
From: |
Christopher Allan Webber |
|
Subject: |
Re: Checking signatures on source tarballs |
|
Date: |
Sun, 21 Feb 2016 20:20:04 -0800 |
|
User-agent: |
mu4e 0.9.13; emacs 24.5.1 |
Ludovic Courtès writes:
> Brandon Invergo <address@hidden> skribis:
>
>> Hi everyone,
>>
>> On Thu, 2015-10-08 at 13:44 +0200, Ludovic Courtès wrote:
>>
>>> Actually I see that GSRC already maintains per-package keyrings.
>>>
>>> How is this maintained, Brandon? That is, where do you get information
>>> on which keys to put in the keyring, etc.?
>>
>> Admittedly, it's not ideal. When we first add a package, we make a
>> keyring for it based on whatever information is available to us.
>> Sometimes the public key is listed in the release announcement. Other
>> times, we just have to grab the public key of whatever we see the
>> package was signed with. Obviously, that's not very secure since it
>> could have been signed by an attacker. However usually this process is
>> only performed when adding a new (to GNU) package. Then, if the
>> signature-checking process ever fails on future releases, I actually
>> look into it. Sometimes, no public key is available in any of the key
>> servers as far as I can tell. In those cases, we ignore the signature.
>
> OK. That’s roughly what Mark suggests that we do in Guix, an
> improvement over the current situation.
>
> Thanks for your feedback!
>
> Ludo’.
Extra reasons to want to do signature based verification:
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
... be careful out there!
- Chris
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Checking signatures on source tarballs,
Christopher Allan Webber <=