Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 22 Nov 2002, Steve Langasek wrote: > On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote: > > > According to samba.html, the distribution key is > > > http://us1.samba.org/samba/ftp/samba-pubkey.asc > > gpg: key 2F87AF6F: public key "Samba Distribution Verification Key ><[EMAIL PROTECTED]>" > > Then perhaps this should be refreshed from the copy that's on the public > keyservers, which is where I imported it from? Done. $ gpg --list-sigs 2F87AF6F pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key <[EMAIL PROTECTED]> sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key <[EMAIL PROTECTED]> sig D83511F6 2002-10-15 Gerald W. Carter <[EMAIL PROTECTED]> sig F8437071 2002-10-15 Christopher R. Hertel (U of Minnesota) <[EMAIL PROTECTED]> sig 2 1EEF5276 2002-10-15 Jelmer Vernooij (ctrlsoft) <[EMAIL PROTECTED]> sig A164FD0D 2002-10-17 Koyama Mituru <[EMAIL PROTECTED]> sig 3 0722021E 2002-10-17 Tim Potter <[EMAIL PROTECTED]> sig 1045AA4F 2002-10-16 Volker Lendecke <[EMAIL PROTECTED]> sig 3 DF1DD471 2002-10-17 Michael H. Warfield <[EMAIL PROTECTED]> sig 3 8408D65D 2002-11-22 Herb Lewis <[EMAIL PROTECTED]> sig 1A8F22BC 2002-11-22 James Willard <[EMAIL PROTECTED]> sig 3 F5DA6BE3 2002-11-10 Vesselin Kolev <[EMAIL PROTECTED]> sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key <[EMAIL PROTECTED]> cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE94kXxIR7qMdg1EfYRAu1hAJ9MEjdEmnPp9PJDAE32qpo9iQg9kQCcCnxc g165bI87tiI6AwSsIH0EyGQ= =/mfw -END PGP SIGNATURE-
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 22 Nov 2002, Martin Pool wrote: > This has only a single signature, from Jerry. I'll upload a newer ascii dump of the key. It has been signed by several more members. I use the wwwkeys.us.pgp.net keyserver btw... cheers, jerry - Hewlett-Packard - http://www.hp.com SAMBA Team-- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2"SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE94kP2IR7qMdg1EfYRAv1YAKCK4hV2KiobhqGiVVjU0fP4eBbXsACdGt01 wj7owrt+O+i+c5UDbURYwUE= =r7H5 -END PGP SIGNATURE-
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
On Sat, 23 Nov 2002, Richard Sharpe wrote: > Hackers don't have the intelligence to think of that :-) (tongue firmly in > cheek :-) The ones that do probably have more intelligence than to sign the hack with a key they've put on a key server. Evidentairy bonuses like that are the things an investigator's dreams are made of. Before you go to the "steal some sap's key" thing, understand that relating multiple incidents also may lead to better evidence, and in turn to the bad guy. "I want this system dusted for keys and key prints!" ;) Paul - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact."
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
On Fri, 22 Nov 2002, David W. Chapman Jr. wrote: > On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: > > Yeah, sure, but: > > > > What does this all mean? Why should I care? > > > > Where do I get GPG? > > > > Where do I get the samba codesigning key? How do I import it? How > > do I know I got the right one? > > > > What do I do if it doesn't verify? > > > I always wondered if someone uploaded a tarball with a trojan, what's > preventing them from updating the .asc file as well? Hackers don't have the intelligence to think of that :-) (tongue firmly in cheek :-) Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
