Ludovic Courtès writes: > Brandon Invergo <[email protected]> skribis: > >> Hi everyone, >> >> On Thu, 2015-10-08 at 13:44 +0200, Ludovic Courtès wrote: >> >>> Actually I see that GSRC already maintains per-package keyrings. >>> >>> How is this maintained, Brandon? That is, where do you get information >>> on which keys to put in the keyring, etc.? >> >> Admittedly, it's not ideal. When we first add a package, we make a >> keyring for it based on whatever information is available to us. >> Sometimes the public key is listed in the release announcement. Other >> times, we just have to grab the public key of whatever we see the >> package was signed with. Obviously, that's not very secure since it >> could have been signed by an attacker. However usually this process is >> only performed when adding a new (to GNU) package. Then, if the >> signature-checking process ever fails on future releases, I actually >> look into it. Sometimes, no public key is available in any of the key >> servers as far as I can tell. In those cases, we ignore the signature. > > OK. That’s roughly what Mark suggests that we do in Guix, an > improvement over the current situation. > > Thanks for your feedback! > > Ludo’.
Extra reasons to want to do signature based verification: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/ ... be careful out there! - Chris
