[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] 2.8.8 corrupted
From: |
Thomas Dickey |
Subject: |
Re: [Lynx-dev] 2.8.8 corrupted |
Date: |
Fri, 17 Nov 2017 04:34:54 -0500 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Wed, Oct 25, 2017 at 01:48:16PM -0400, Keith Bowes wrote:
> Je 2017-09-17 je 07:59:25 (-0600) Paul Gilmartin skribis:
> > Intrigued by this, I thought to verify a signature, but:
> >
> > 619 $ curl
> > https://invisible-mirror.net/archives/lynx/tarballs/lynx2.8.8rel.2.tar.gz.asc
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (FreeBSD)
> > Comment: See http://lynx.isc.org/signatures.html for info
> >
> > iEYEABECAAYFAlMdAkEACgkQXd+Pt2iOMaaB1gCg4TmKYtkoZ43EgLbdKohA9U6D
> > r7QAoN11QXq2KmLcZCtZHg4NsLaH9hws
> > =zD+J
> > -----END PGP SIGNATURE-----
> >
>
> Yeah, Thomas Dickey should update his PGP signature now that ISC no
> longer hosts Lynx.
That's a complicated topic. Here are some points:
a) I've used address@hidden for all of the changes made since
moving the files to my regular site.
b) The signature for the older files is valid, and the keys published for
quite a while.
c) Anyone who'd trusted the older signature would still have the same files
(and same signature).
d) Aside from the trust issue, the nice thing about the signatures is that
they're all dated. If I re-signed the files (replacing the signatures,
which is what you meant by "update"), all of that information would be
lost.
e) Besides losing the timestamps, the other side of replacing the signatures
is that it presumes that anyone with an older copy of the tar/zip file
will do their side and ensure that I didn't substitute/tamper with the
files.
So... if we can address those points (in particular, refraining from calling
it "update" or anything of that nature), I could re-sign the files. But
doing that raises its own issues.
--
Thomas E. Dickey <address@hidden>
https://invisible-island.net
ftp://ftp.invisible-island.net
signature.asc
Description: Digital signature