Re: [Cooker] contrib packages missing gpg signatures?
On Sun, Aug 17, 2003 at 12:20:23PM +0200, Luca Berra wrote: > well, most of them are, and i believe all should be signed, not > necessarily by mandrake, but at least from the packagers. > After such thing as the gnu ftp server compromise i believe it is only > responsible to sign packages. I'd love to sign packages, but I refuse to put my GPG key on a machine I don't control. I suppose I could create a new key just for signing packages, but the issue is there's still a key that has my "blessing" on someone elses machine. The alternative is to download each and every package to my local machine, sign and reupload... That's a lot of hassle. I tend to agree that these packages should be handled the same way as main is and signed by a Mandrake key... A separate key could be made for contrib and signing could/should be handled the same way as main. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "What upsets me is not that you lied to me, but that from now on I can no longer believe you." -- Nietzsche
Re: [Cooker] contrib packages missing gpg signatures?
On Tue, Aug 19, 2003 at 12:50:24PM +0200, Guillaume Rousse wrote: export GNUPGHOME="/path/to/a/directory/you/own" rpm -ba --sign my.spec Being able to do it or not is not the problem. Contribs packages are official mdk packages, built on a centralized buildhost, they should get signed with a single key, not a gazillion different ones. Anyway is ok for me. I just would like those packages to be signed, so i can be somewhat more safe installing them. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] contrib packages missing gpg signatures?
Ainsi parlait Luca Berra : > On Sun, Aug 17, 2003 at 01:05:02PM +0200, Buchan Milne wrote: > >Warly said they were trying to address the issue. Note that it is actually > >impossible for some contributors to sign packages (my ~/.gnupg on klama is > >owned by root and thus prevents me from signing packages built on klama): > > > >[EMAIL PROTECTED] buchan]$ ls -ld ../*/.gnupg |grep root > >drwx--2 root root 104 May 27 2002 ../buchan/.gnupg/ > >drwx--2 root root 104 Jun 18 2002 > >../nanardon/.gnupg/ > > export GNUPGHOME="/path/to/a/directory/you/own" > rpm -ba --sign my.spec Being able to do it or not is not the problem. Contribs packages are official mdk packages, built on a centralized buildhost, they should get signed with a single key, not a gazillion different ones. -- Guillaume Rousse Why do we drive on parkways and park on driveways? -- Why Why Why n°30
Re: [Cooker] contrib packages missing gpg signatures?
On Sun, Aug 17, 2003 at 01:05:02PM +0200, Buchan Milne wrote: Warly said they were trying to address the issue. Note that it is actually impossible for some contributors to sign packages (my ~/.gnupg on klama is owned by root and thus prevents me from signing packages built on klama): [EMAIL PROTECTED] buchan]$ ls -ld ../*/.gnupg |grep root drwx--2 root root 104 May 27 2002 ../buchan/.gnupg/ drwx--2 root root 104 Jun 18 2002 ../nanardon/.gnupg/ export GNUPGHOME="/path/to/a/directory/you/own" rpm -ba --sign my.spec regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] contrib packages missing gpg signatures?
On Sun, 17 Aug 2003, Luca Berra wrote: > On Sun, Aug 17, 2003 at 12:13:37PM +0200, Guillaume Rousse wrote: > >Ainsi parlait Luca Berra : > >> The following packages have bad signatures: > ... > >contribs are not signed at all. > well, most of them are, and i believe all should be signed, not > necessarily by mandrake, but at least from the packagers. Warly said they were trying to address the issue. Note that it is actually impossible for some contributors to sign packages (my ~/.gnupg on klama is owned by root and thus prevents me from signing packages built on klama): [EMAIL PROTECTED] buchan]$ ls -ld ../*/.gnupg |grep root drwx--2 root root 104 May 27 2002 ../buchan/.gnupg/ drwx--2 root root 104 Jun 18 2002 ../nanardon/.gnupg/ Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] contrib packages missing gpg signatures?
On Sun, Aug 17, 2003 at 12:13:37PM +0200, Guillaume Rousse wrote: Ainsi parlait Luca Berra : The following packages have bad signatures: ... contribs are not signed at all. well, most of them are, and i believe all should be signed, not necessarily by mandrake, but at least from the packagers. After such thing as the gnu ftp server compromise i believe it is only responsible to sign packages. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] contrib packages missing gpg signatures?
Ainsi parlait Luca Berra : > The following packages have bad signatures: > /var/cache/urpmi/rpms/gvlc-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 > OK) /var/cache/urpmi/rpms/mozilla-plugin-vlc-0.6.2-2mdk.i586.rpm: Missing > signature (sha1 md5 OK) /var/cache/urpmi/rpms/vlc-0.6.2-2mdk.i586.rpm: > Missing signature (sha1 md5 OK) > /var/cache/urpmi/rpms/vlc-plugin-a52-0.6.2-2mdk.i586.rpm: Missing signature > (sha1 md5 OK) /var/cache/urpmi/rpms/vlc-plugin-mad-0.6.2-2mdk.i586.rpm: > Missing signature (sha1 md5 OK) contribs are not signed at all. -- Guillaume Rousse Those who can - do Those who cannot -- teach Those who cannot teach -- administrate -- Mencken's Law
[Cooker] contrib packages missing gpg signatures?
The following packages have bad signatures: /var/cache/urpmi/rpms/gvlc-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 OK) /var/cache/urpmi/rpms/mozilla-plugin-vlc-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 OK) /var/cache/urpmi/rpms/vlc-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 OK) /var/cache/urpmi/rpms/vlc-plugin-a52-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 OK) /var/cache/urpmi/rpms/vlc-plugin-mad-0.6.2-2mdk.i586.rpm: Missing signature (sha1 md5 OK) regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \