On Wed, Oct 25, 2017 at 01:48:16PM -0400, Keith Bowes wrote: > Je 2017-09-17 je 07:59:25 (-0600) Paul Gilmartin skribis: > > Intrigued by this, I thought to verify a signature, but: > > > > 619 $ curl > > https://invisible-mirror.net/archives/lynx/tarballs/lynx2.8.8rel.2.tar.gz.asc > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.17 (FreeBSD) > > Comment: See http://lynx.isc.org/signatures.html for info > > > > iEYEABECAAYFAlMdAkEACgkQXd+Pt2iOMaaB1gCg4TmKYtkoZ43EgLbdKohA9U6D > > r7QAoN11QXq2KmLcZCtZHg4NsLaH9hws > > =zD+J > > -----END PGP SIGNATURE----- > > > > Yeah, Thomas Dickey should update his PGP signature now that ISC no > longer hosts Lynx.
That's a complicated topic. Here are some points: a) I've used [email protected] for all of the changes made since moving the files to my regular site. b) The signature for the older files is valid, and the keys published for quite a while. c) Anyone who'd trusted the older signature would still have the same files (and same signature). d) Aside from the trust issue, the nice thing about the signatures is that they're all dated. If I re-signed the files (replacing the signatures, which is what you meant by "update"), all of that information would be lost. e) Besides losing the timestamps, the other side of replacing the signatures is that it presumes that anyone with an older copy of the tar/zip file will do their side and ensure that I didn't substitute/tamper with the files. So... if we can address those points (in particular, refraining from calling it "update" or anything of that nature), I could re-sign the files. But doing that raises its own issues. -- Thomas E. Dickey <[email protected]> https://invisible-island.net ftp://ftp.invisible-island.net
signature.asc
Description: Digital signature
_______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
