[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#20788: 24.4; Nicolas Petton's key not included in GNU keyring
From: |
Glenn Morris |
Subject: |
bug#20788: 24.4; Nicolas Petton's key not included in GNU keyring |
Date: |
Thu, 11 Jun 2015 18:10:19 -0400 |
User-agent: |
Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
William G. Gardella wrote:
> I disagree that it's of no value; anybody can upload any key to any
> keyserver, but the GNU keyring can be obtained from an HTTPS server with
> a certificate signed by Gandi according to their policies, which,
> while not great, are at least better than the nonexistent verification
> provided by a keyserver.
I still don't get it:
If someone puts a bogus key on a keyserver, it will presumably fail to
verify the ftp.gnu.org tarfile.
And if someone can put a bogus Emacs tarball on ftp.gnu.org, they could
just as well put a bogus keyring file there too. So it doesn't seem to
be of any more value than a sha1sum.
> I will send the report to sysadmin, as apparently no action has been
> taken since late April, when Nicolas's key was supposedly uploaded.
Thanks. Again:
http://debbugs.gnu.org/20298#38
[...] please ask them to review the whole system, not just add [one] key.
Eg mine doesn't seem to be there either, which implies the system
has been busted for years. I assume the file is supposed to be an
automatically generated list of everyone who can upload to
ftp.gnu.org.