Re: How can we utilize latest GPG from RPM repository?

On Wed, Feb 21, 2018 at 07:36:08AM -0800, Dan Kegel wrote: > On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes wrote: >> >> Because these two lines explain *precisely* why you need something >> like RHEL or CentOS (certified systems to go with the auditing) >> *and* updated

Re: wotmate: simple grapher for your keyring

u wot m8 http://knowyourmeme.com/memes/u-wot-m8 Nice tool; thanks for sharing! Cheers, Fraser On Wed, Feb 21, 2018 at 09:59:01AM -0500, Konstantin Ryabitsev wrote: > Hi, all: > > I've been maintaining the kernel.org web of trust for the past 5+ years, > and I wrote a number of tools to help

Re: wotmate: simple grapher for your keyring

On Wed, Feb 21, 2018 at 09:59:01AM -0500, Konstantin Ryabitsev wrote: > Hi, all: > > I've been maintaining the kernel.org web of trust for the past 5+ years, > and I wrote a number of tools to help me visualize trust paths between > fully trusted keys and those belonging to newer developers. > >

Re: Why Operating Systems don't always upgrade GnuPG

On 21/02/18 17:22, Teemu Likonen wrote: > default-key FINGERPRINT! That would help for command-line usage for a user with only one private key. But anything else might not use the default key. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me

Re: How can we utilize latest GPG from RPM repository?

On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes wrote: > On Sat, Feb 17, 2018 at 05:06:54PM -0600, helices wrote: >> I will probably never understand why wanting to run the most current >> version of gnupg on a plethora of servers is controversial. >> >> Nevertheless, the two

Re: Why Operating Systems don't always upgrade GnuPG

Daniel Kahn Gillmor [2018-02-20 21:35:12-08] wrote: > Anyway, here's one concrete example (hinted at above) of a > programmatic gap that is much easier to achieve by mucking around with > the internal state rather than by the programmatic interface: > > * I want to introduce a new

wotmate: simple grapher for your keyring

Hi, all: I've been maintaining the kernel.org web of trust for the past 5+ years, and I wrote a number of tools to help me visualize trust paths between fully trusted keys and those belonging to newer developers. I finally got a chance to clean up the code, and I hope it's useful to others:

Re: having trouble checking the signature of a downloaded file

On 02/21/2018 11:53 AM, Peter Lebbing wrote: > On 21/02/18 10:48, Kristian Fiskerstrand wrote: >>>gpg: Signature made Tue May 4 23:03:11 2004 JST >> [...] >> >> The author should sign the package using a more modern and secure keyblock. > Note that not the key, but the /signature/ is made 14

Re: having trouble checking the signature of a downloaded file

On 21/02/18 11:53, Peter Lebbing wrote: > The > author might not be available anymore or willing to expend any effort. (Or the author might not have a more authentic copy of the file anymore either. This is not the reason I'm self-replying though). > This all comes with a major caveat. Make

Re: having trouble checking the signature of a downloaded file

On 21/02/18 10:48, Kristian Fiskerstrand wrote: >>gpg: Signature made Tue May 4 23:03:11 2004 JST > [...] > > The author should sign the package using a more modern and secure keyblock. Note that not the key, but the /signature/ is made 14 years ago. So we're talking about verifying the

Re: having trouble checking the signature of a downloaded file

On 02/21/2018 10:37 AM, Henry wrote: > I downloaded a tarball ***6.4.tar.gz, it's signature file > ***6.4.tar.gz.sig, and the author's public key **.pgp from a > well-known site. > > I imported the public key: `gpg --import **.pgp`. > For some reason, two keys were "skipped": >gpg:

Re: Why Operating Systems don't always upgrade GnuPG

On Tue, 20 Feb 2018 20:36, n...@walfield.org said: > "uncool". I left because we (Werner and I) could not work well > together. This is the same reason that Justus, Kai and Marcus left. Okay, you raised it and now my Lavamat wants to reply on this: Secret negotiations with other companies,

having trouble checking the signature of a downloaded file

I downloaded a tarball ***6.4.tar.gz, it's signature file ***6.4.tar.gz.sig, and the author's public key **.pgp from a well-known site. I imported the public key: `gpg --import **.pgp`. For some reason, two keys were "skipped": gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to

Re: Solaris 11 install libgpg-error make install hangs

On Fri 2018-02-09 16:03:01 +, Anna Kitces and Seth Fishman wrote: > Correction. it is in libgpg-error this is happening You can see logs of an example build on the Debian OS for gpg-error here: https://buildd.debian.org/status/logs.php?arch==libgpg-error Your build is likely to differ in