On Sun, 2006-Jul-09 00:42:31 -0700, Colin Percival wrote: > I have written an automatic script >for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades.
That sounds useful. Are you intending to provide this for future FreeBSD minor-revision releases? >Naturally, the cryptographic hashes of all the files are verified >against values stored in the script, so as long as you trust the >FreeBSD Security Officer (and if you don't, why are you running >FreeBSD?), the process is entirely secure. But how can I tell that the script came from the FreeBSD Security Officer? You have signed your mail with a key (ID 0xD09347FC) that claims to be a Colin Percival with an Oxford Uni address (whereas this mail has a freebsd.org address) but the key that I downloaded from a PGP keyserver has no other signatures. You don't have a key in the FreeBSD CVS repository that I can locate and I can't find any keys on www.daemonology.net. Basically, I only have your word that you are who you claim to be. (Of course, I still need to be able to trust the FreeBSD CVS repository but if I can't trust that, I can't trust my OS either). If you really are the FreeBSD Security Officer why can't I find copies of your key and FreeBSD SO key (0xCA6CDFB2) that are counter-signed by each other? -- Peter Jeremy
pgpi5U6qviUzV.pgp
Description: PGP signature